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1  Introduction 


Recently  Goldwasser,  Micali,  and  Rackoff  in  [GoMiRa]  have  shown  that  it  is  possible  to  prove  that  some 
theorems  are  true  without  giving  the  slightest  hint  of  why  this  is  so.  This  is  rigorously  formalized  in  the 
somewhat  paradoxical  notion  of  a  zero-knowledge  proof  system  (ZKPS). 

Z«to- knowledge  proofs  have  proven  to  be  very  useful  both  in  Complexity  Theory  and  in  Cryptography. 
For  instance,  in  Complexity  Theory,  via  results  of  Fortnow  [Fo]  and  Boppana,  Hastad,  and  Zachce 
[BoHaZa],  zero-knowledge  provides  us  an  avenue  to  convince  ourselves  that  certain  languages  are  not 
NP-complete.  In  cryptography,  zero-knowledge  proofs  have  played  a  major  role  in  the  recently  proven 
completeness  theorem  for  protocols  with  honest  majority  [GoMiWi2],  [ChCrDa],  [BeGoWi].  They  also 
have  inspired  rigorously-analyzed  identification  schemes  [FeFiSh],  [MiSh]  that  are  as  efficient  as  folklore 
ones. 

Despite  its  wide  applicability,  zero- knowledge  remains  an  intriguing  notion:  What  makes  zero-knowledge 
proofs  work? 

Three  main  ingredients  differentiate  standard  zero- knowledge  proofs,  from  more  traditional  ones: 

1.  Interaction:  The  prover  and  the  verifier  talk  back  and  forth. 

2.  Hidden  Randomization:  The  verifier  tosses  coins  that  are  hidden  from  the  prover  and  thus  unpre¬ 
dictable  to  him. 

3.  Computational  Difficulty:  The  prover  embeds  in  his  proofs  the  computational  difficulty  of  some 
other  problem. 

Blum,  Feldman,  and  Micali  [BIFeMi]  were  the  first  to  conceive  that  the  above  ingredients  may  not  be 
necessary.  They  proposed  the  following  scenario  as  one  in  which  zero-knowledge  proofs  may  be  achieved. 

A  Conceptual  Scenario:  Think  of  A  and  B  as  two  mathematicians.  After  having  played  “heads  and 
tails”  for  a  while,  or  having  both  witnessed  the  same  random  event,  A  leaves  for  a  long  trip  along  the 
world,  during  which  he  continues  his  mathematical  investigations.  Whenever  he  discovers  the  proof  of  a 
new  theorem,  he  writes  a  postcard  to  B  proving  the  validity  of  his  assertion  in  zero-knowledge.  Notice 
that  this  is  necessarily  a  non-interactive  process;  better  said,  it  is  a  mono-directional  interaction:  from  A 
to  B  only.  In  fact,  even  if  B  would  like  to  answer  or  talk  to  A,  he  couldn’t:  A  has  no  fixed  (or  predictable) 
address  and  will  move  away  before  any  mail  can  reach  him. 

Notice  that  sharing  a  random  string  a  is  a  weaker  requirement  than  being  able  to  interact.  In  fact,  if  A 
and  B  could  interact  they  would  be  able  to  construct  a  common  random  string.  For  instance,  by  coin 
tossing  over  the  phone  [Bll];  the  converse,  however,  is  not  true. 

Public  Randomness.  Sharing  a  common  random  string  is  a  requirement  weaker  than  having  both  parties 
access  a  random  beacon  in  the  Rabin’s  sense  (e.g.,  the  same  geiger  counter).  In  this  latter  case,  in  fact, 
all  made  coin  tosses  would  be  seen  by  the  prover,  but  the  futur  otk.«  would  still  be  unpredictable  to 
him.  By  contrast,  our  model  allows  the  prover  to  see  in  advance  t>-  utcome  of  all  the  coin  tosses  the 
verifier  will  ever  make.  That  is,  the  zero-knowledgeness  of  our  proofs  does  not  depend  on  the  secrecy  or 
unpredictability  of  o  but  on  the  “well  mixedness”  of  its  bits!1 

Arthur- Merlin  Games  and  Interactive  Proof  Systems.  The  question  of  the  power  of  hidden  randomness 
versus  public  randomness  has  already  been  discussed  in  Complexity  Theory  in  the  context  of  proof 

’This  carious  property  makes  ou  result  potentially  applicable.  For  instance,  all  libraries  in  the  country  possess  identical 
copies  of  the  random  tables  prepared  by  the  Rand  Corporation.  Thus,  we  may  think  of  ourselves  as  being  already  in  the 
scenario  needed  for  noa-iateractive  sero-kaowledge  proofs. 
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systems.  Goldwasser,  Micali,  and  Rackoflf  [GoMiRa]  and  Babai  and  Moran  [Ba,  BaMo]  consider  proofs 
as  games  played  between  two  players,  Prover  and  Verifier,  who  can  talk  back  and  forth.  In  [GoMiRa], 
the  Verifier  is  allowed  to  flip  fair  coins  and  hide  their  outcomes  from  the  Prover.  In  [Ba,  BaMo],  all  coin 
tosses  made  by  the  verifier  are  seen  by  the  Prover  (called  respectively  Arthur  and  Merlin  in  proof  systems 
of  this  type).  For  a  while  it  seemed  that  interactive  proof  systems  might  be  more  powerful  (i.e.  capable 
of  proving  more  languages)  than  Arthur-Merlin  ones.  Quite  surprisingly,  Goldwasser  and  Sipser  [GoSi] 
showed  that  the  two  models  are  equally  powerful. 

Proving  the  existence  of  non-interactive  zero- knowledge  proofs  can  be  thought  as  proving  that  Arthur- 
Merlin  proof  systems  are  as  powerful  as  interactive  ones  also  with  respect  to  knowledge  complexity.  We 
make  this  explicit  in  Section  5.5. 

Protocols  for  non-interactive  zero-knowledge  were  presented  in  [BIFeMi]  and  [DeMiPel].  These  protocols 
though  had  some  very  subtle  bug,  pointed  out  to  us  by  Mihir  Bell  are. 2  This  problem  is  taken  care  of 
here  by  adopting  a  different  approach. 

Organization.  The  next  section  is  devoted  to  seting  up  our  notation,  recalling  some  elementary  facts 
from  Number  Theory  and  stating  the  complexity  assumption  which  suffices  to  show  the  existence  of 
Non-Interactive  ZKPS. 

In  section  3  we  define  the  notion  of  bounded  non-interactive  zero  knowledge;  that  is,  the  “single 
theorem”  case. 

In  section  4  we  show  that  a  special  number  theoretic  language  L  possesses  a  bounded  non-interactive 
zero-knowledge  proof.  That  is,  if  Prover  and  Verifier  share  a  random  string,  then  it  is  possible  to  prove, 
non-interactively  and  in  zero  knowledge,  that  any  single,  sufficiently  shorter  x  6  L. 

In  Section  5,  under  the  quadratic  residuosity  assumption,  we  prove  that  the  “more  general”  language 
of  3 SAT  is  in  bounded  non-interactive  zero-knowledge. 

Only  in  Section  6  we  show  that,  if  deciding  quadratic  residuosity  is  hard,  the  prover  can  show  in 
zero-knowledge  membership  in  NP  languages  for  any  number  of  strings  each  of  arbitrary  size,  using  the 
same  randomly  chosen  string. 

In  section  7  we  will  discuss  some  related  work. 

In  section  8  we  will  state  some  open  problems  that  we  would  love  to  see  solved. 


2  Preliminaries 

2.1  Basic  definitions. 


Notations.  We  denote  by  M  the  set  of  natural  numbers.  If  n  €  Af,  by  ln  we  denote  the  concatenation  of 
n  l’s.  We  identify  a  binary  string  a  with  the  integer  x  whose  binary  representation  (with  possible  leading 
zeroes)  is  o. 

By  the  expression  |x|  we  denote  the  length  of  x  if  x  is  a  string,  the  length  of  the  binary  string  representing 
x  if  x  is  an  integer,  the  absolute  value  of  x  if  x  is  a  real  number,  or  the  cardinality  of  x  if  x  is  a  set. 

If  o  and  r  are  binary  strings,  we  denote  their  concatenation  by  either  <r  o  r  or  or. 

A  language  is  a  subset  of  {0, 1}*.  If  L  is  a  language  and  k  >  0,  we  set  L*  =  {x  €  L :  |x|  <  k }.  For  variety 
of  discourse,  we  may  call  “theorem”  a  string  belonging  to  the  language  at  hand.  (A  “false  theorem”  is  a 
string  outside  L.) 

*The  mentioned  problem  occurred  only  in  the  “many-theorems”  part.  That  is,  when  the  bask  protocols  for  proving  a 
single  theorem  in  non-interactive  zero  knowledge  were  extended  to  proving  an  unbounded  number  of  theorems  using  the 
same  random  string. 
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Models  of  computation.  An  algorithm  is  a  Taring  machine.  An  efficient  algorithm  is  a  probabilistic 
Taring  machine  running  in  expected  polynomial  time. 

We  emphasize  the  number  of  input  received  by  an  algorithm  as  follows.  If  algorithm  A  receives  only  one 
inpat  we  write  “A(*)”,  if  it  receives  two  inputs  we  write  “A(-,  •)”  and  so  on. 

A  sequence  of  probabilistic  Turing  machines  {TnJncA/'  is  an  efficient  non-uniform  algorithm  if  there  eXfltS 
a  positive  constant  c  such  that,  for  all  sufficiently  large  n,  Tn  halts  in  expected  nc  steps  and  the  size  of 
its  program  is  <  ne.  We  use  efficient  non-uniform  algorithms  to  gain  the  power  of  using  different  Turing 
machines  for  different  input  lengths.  For  instance,  Tn  can  be  used  for  inputs  of  length  n.  The  power 
of  non-uniformity  lies  in  the  fact  that  each  Turing  machine  in  the  sequence  may  have  “wired-in”  (i.e. 
properly  encoded  in  its  program)  a  small  amount  of  special  information  about  its  own  input  length.  3 

A  random  selector  is  a  special  (random)  oracle.  The  oracle  query  consists  of  a  pair  of  strings  (a,  5),  where 
the  second  strings  encodes  a  Unite  set.  Such  a  query  is  answered  by  the  oracle  with  a  randomly  chosen 
element  is  set  S.  If  the  oracle  is  asked  twice  the  same  query,  it  will  return  the  same  element.  The  role 
of  the  first  entry  in  the  query  is  to  allow,  if  so  wanted,  to  "make  random  and  independent  selections  in 
a  set  S.  That  is,  if  S  is  the  same,  and  s\  ^  s2,  then,  in  response  to  queries  sj,$)  and  («2,S),  the  oracle 
will  return  two  elements  from  S,  each  randomly  and  independently  selected. 

A  random  selecting  algorithm  is  a  Turing  machine  with  access  to  a  random  selector.  Notice  that  a 
random  selecting  algorithm  is  strictly  more  powerful  than  one  with  access  to  a  coin  or  a  random  oracle. 
For  instance,  a  random  selecting  algorithm  can  select  with  uniform  probability  one  out  of  3  elements.  On 
the  other  hand,  simulating  independent  coin  flips  is  easy  with  a  random  selector:  If  Select  is  a  random 
selector,  to  ensure  the  independence  of  hi,  the  t-th  coin  flip,  from  all  the  other  coin  flips  in  a  computation 
on  input  z,  one  can  set  hi  s  Selective  o  i,  {0, 1}). 

Random  selectors  will  simplify  the  description  of  our  algorithms.  In  fact,  we  desire  a  P rover  in  a 
non-interactive  proof-system  to  be  “memoryless.”  That  is,  it  needs  not  to  remember  which  theorems  it 
proved  in  the  past  for  finding  and  proving  the  next  theorem.  However,  for  zero  knowledge  purposes,  it 
will  be  much  handier  to  keep  track  of  some  history,  the  history,  that  is,  of  previously  made  coin  tosses. 
This  will  be  crucial  in  section  6.  A  random  selector  will  in  fact  accomplish  this  record  keeping  without 
having  to  consider  provers  “with  history.”  As  we  shall  point  out,  random  selectors  can  be  efficiently 
approximated,  and  thus  only  represent  a  conceptual  tod. 

Algorithms  and  probability  spaces.  If  A(-)  is  a  probabilistic  algorithm,  then  for  any  input  z,  the  notation 
A(x)  refers  to  the  probability  space  that  assigns  to  the  string  o  the  probability  that  A,  on  input  z,  outputs 

<7. 

Following  the  notation  of  [GoMiRi],  if  5  is  a  probability  space,  then  “z  £  5”  denotes  the  algorithm 
which  assigns  to  z  an  element  randomly  selected  according  to  5.  If  F  is  a  finite  set,  then  the  notation 
denotes  the  algorithm  which  assigns  to  z  an  element  selected  according  to  the  probability  space 
whose  sample  space  is  F  and  uniform  probability  distribution  on  the  sample  pdnts. 

If  p(-,  •,•••)  is  a  predicate,  the  notation  Pr(x  £  5;  y  £  T; ... :  p(z,  y,  •  •  •))  denotes  the  probability  that 
p(z,y,  •  •  •)  will  he  true  after  the  ordered  execution  of  the  algorithms  x  A  5,  y  *  T,  .... 

The  notation  {z  *  S;yiT;-:  (z, y, -  - •)}  denotes  the  probability  space  over  {(z,y, •  •  •)}  generated 
by  the  ordered  execution  of  the  algorithms  z  4-  S,  y  £  T,  •  • 

2.2  Number  Theory 

Quadratic  Residuosity.  For  each  integer  z  >  0,  the  set  of  integers  less  than  z  and  relatively  prime  to  z 

.  .  fTkis  definition  css  b«  ikon  equivalent  to  the  one  of  a  poly-tise  combinatorial  circuit  and  to  the  one  [KaLi]  of  poly-time 
Taring  machine  that  takea  advice. 


* 
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form  a  group  under  multiplication  modulo  x  denoted  by  Z*.  We  say  that  y  €  Z*  is  a  quadratic  residue 
modulo  x  iff  there  is  a  w  €  Z*  such  that  vP  =  y  mod  x.  If  this  is  not  the  case  we  call  y  a  quadratic  non 
residue  modulo  x.  For  compactness,  we  define  the  quadratic  residuosity  predicate  as  follows 

q  (y\  _  /  0  if  y  is  a  quadratic  residue  modulo  x  and 
yV)  1 1  otherwise. 

Fact  2.1  (see  for  istance  [NiZu])  If  yi,y2  €  Z*,  then 


1-  Qx(yi)  =  Qx(  1/2)  =  0  ==>  Qxiyiyi)  =  0. 

2.  Qx(yi)  /  Qx(y 2)  =>  Qx(yiyi)  =  I- 

The  quadratic  residuosity  predicate  defines  the  following  equivalence  relation  in  Z *:  y\  ~x  y2  if  and  only 
if  QxiyiVi)  =  0.  Thus,  the  quadratic  residues  modulo  x  form  a  ~r  equivalence  class.  More  generally,  it 
is  immediately  seen  that 


Fact  2.2  For  any  fixed  y  €  Z*,  the  elements  {yq  mod  x  \  q  is  a  quadratic  residue  modulo  x}  constitute 
a  ~x  equivalence  class  that  has  the  same  cardinality  as  the  class  of  quadratic  residues. 

The  problem  of  deciding  quadratic  residuosity  consists  of  evaluating  the  predicate  Qx •  As  we  now  see, 
this  is  easy  when  the  modulus  x  is  prime  and  appears  to  be  hard  when  is  composite. 


Prime  moduli.  Primes  are  easy  to  recognize. 

Fact  2.3  ([AdHu]  extending  [GoKi])  There  exists  an  efficient  algorithm  that,  on  input  x,  outputs  YES 
if  and  only  if  x  is  prime. 


For  p  prime,  the  problem  of  deciding  quadratic  residuosity  coincides  with  the  problem  of  computing 
the  Legendre  symbol.  In  fact,  for  p  prime  and  y  €  Z*,  the  Legendre  symbol  (y|p)  of  y  modulo  p  is  defined 
as 


if  y  is  a  quadratic  residue  modulo  x  and 
otherwise; 


and  can  be  computed  in  polynomial  time  by  using  Euler’s  criterion.  Namely, 


(y|p)  =  1)/2modp. 


Composites  are  easy  to  recognize.  It  is  easy  to  test  compositeness.  In  fact, 

Fact  2.4  ([Ral],  [SoSt])  There  exists  a  polynomial  time  algorithm  TEST( •,•)  such  that 

1.  if  1  is  composite,  TEST(x,r )  =COMPOSITE  for  at  least  3/8  of  the  strings  r  such  that  |r|  =  |x|. 

2.  if  x  is  prime,  TEST(x,r)  =PRIME  for  all  r’s. 

We  say  that  the  sequence  (pi,  hi),  •  •  • , (pn, fin)  is  the  factorization  of  x  if  the  p<’s  are  distinct  primes,  the 
hi' 6  are  positive  integers  and  x  =  J]?=i Pi'- 

While  it  is  easy  to  test  compositeness,  no  efficient  algorithm  is  known  for  computing  the  factorization  of 
a  composite  integer.  In  fact  the  following  assumption  is  consistent  with  our  state  of  knowledge. 
Factoring  Assumption:  For  each  efficient  non-uniform  algorithm  {C„}ntjV>  all  positive  constants  d,  and 
all  sufficiently  large  n, 

Pr(x  £-  {0,1}";/  £-  Cn{x)‘  /  is  the  factorization  of  x)  <  n~d. 

Often  computational  problems  relative  to  composite  moduli  are  easy  if  their  factorization  is  known.  For 
example,  this  is  the  case  for  the  problem  of  computing  square  roots  modulo  x.  In  fact, 
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Fact  2.5  (see  for  instance  [An])  There  exists  an  efficient  algorithm  that  given  as  inputs  x,  its  prime 
factorization,  and  y,  a  quadratic  residue  modulo  x,  outputs  a  random  square  root  of  y  modulo  x. 

Fact  2.8  ([Ra2])  The  problem  of  factoring  composite  integers  is  probabilistic  polynomial  time  reducible 
to  the  problem  of  extracting  square  roots  modulo  composite  integers. 

Another  computational  problem  modulo  x  that  is  easy  given  the  factorization  of  x  is  deciding  quadratic 
residuosity.  In  fact, 

Fact  2.7  (see  for  instance  [NiZu])  y  is  a  quadratic  residue  modulo  x  if  and  only  if  y  is  a  quadratic  residue 
modulo  each  of  the  prime  divisors  of  x. 

However,  no  efficient  algorithm  is  known  for  deciding  quadratic  residuosity  modulo  composite  numbers 
whose  factorization  is  not  given.  Some  help  is  provided  by  the  Jacobi  symbol  which  extends  the  Legendre 
symbol  to  composite  integers  as  follows.  Let  . . ,  (p„,hn)  be  the  prime  factorization  of  x,  and 

y  €  Z%.  Then4 

(vl*)  =  II(ylA)A<- 

1*1 

Define  J+1  and  J~l  to  be,  respectively,  the  subsets  of  Z*  whose  Jacobi  symbol  is  +1  and  -1.  It  can  be 
immediately  seen  that  if  y  €  Jg1,  then  it  is  not  a  quadratic  residue  modulo  x,  as  it  is  not  a  quadratic 
residue  modulo  some  prime  p,-  dividing  x.  However,  if  y  €  J£l ,  no  efficient  algorithm  is  known  to  compute 
Qt(y).  Actually,  the  fastest  way  known  consists  of  first  factoring  x  and  then  compute  Qx(y).  This  fact 
has  been  first  used  in  cryptography  by  Goldwaaser  and  Micali  [Go Mi].  We  will  use  it  in  this  paper  with 
respect  to  the  following  special  moduli. 

Blum  integers.  For  n  €  Af,  we  define  the  set  of  Blum  integers  of  size  n,  BL(n),  as  follows:  x  €  BL(n)  if 
and  only  if  x  =  pq,  where  p  and  q  are  primes  of  length  n  both  s  3  mod  4.  These  integers  were  first  used 
for  cryptographic  purposes  by  [Bll]. 

Blum  integers  are  easy  to  generate.  By  Fact  2.3  and  the  density  of  the  primes  =  3  mod  4  (de  la  Vallee 
Poussin’s  extension  of  the  prime  number  theorem  [Sh]),  it  is  easy  to  prove  the  following 

Fact  2.8  There  exists  an  efficient  algorithm  that,  on  input  ln,  outputs  the  factorization  of  a  randomly 
selected  x  €  BL(n). 

This  class  of  integers  constitutes  the  hardest  input  for  any  known  efficient  factoring  algorithm.  Thus  no 
efficient  algorithm  is  known  for  deciding  quadratic  residuosity  modulo  Blum  integers,  which  justifies  the 
following 

Quadratic  Residuosity  Assumption  (QRA):  For  each  efficient  non-uniform  algorithm  {Cn}neM,  all  positive 
constants  d,  and  all  sufficiently  large  n, 

Pr(x  A  BL(n );  y  £  J+1 :  C„(x,y)  =  Q*(y))  <  1/2  +  n~d. 

That  is,  no  efficient  non-uniform  algorithm  can  guess  the  value  of  the  quadratic  residuosity  predicate 
substantially  better  than  by  random  guessing. 

It  follows  from  Fact  2.7  and  Euler’s  criterion,  that,  if  x  is  a  Blum  integer,  -1  mod  x  is  a  quadratic 
non  residue  with  Jacobi  symbol  +1. 

‘Despite  the  bet  that  the  Jacobi  symbol  ia  defined  in  terms  of  the  factorization  of  the  mod  ulna  it  can  be  computed  in 
polynomial  time.  (This  can  be  derived  by  a  time  aaalyria  of  the  daarical  algorithm  presented  in  [NiZn];  see  also  [An].) 
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Fact  2.0  On  input  a  Blum  integer  x,  it  is  easy  to  generate  a  random  quadratic  non  residue  in  J+1: 
randomly  select  r  e  Z*  and  output  -r2  mod  x. 


Regular  integers.  A  Blum  integer  enjoys  an  elegant  structural  property.  Namely,  =  j  J"1 1.  More 
generally,  we  define  an  integer  x  to  be  regular  if  it  enjoys  the  above  property.  We  define  Regular(s)  to 
be  the  set  of  regular  integers  with  s,  distinct,  prime  divisors.  By  the  definition  of  Jacobi  symbol,  it  is 
straightforward  that 

Fact  2.10  An  odd  integer  x  belongs  to  Regular(s)  if  and  only  if  it  has  s  distinct  prime  factors  and  is 
not  a  perfect  square. 

Equivalently,  by  Fact  2.2, 

Fact  2.11  An  odd  integer  x  belongs  to  Regular(s)  if  and  only  if  it  is  regular  and  Z%  is  partitioned  by  ~x 
into  2*  equally  numerous  equivalence  classes.  (Equivalently,  J+l  is  partitioned  by  into  2*-1  equally 
numerous  equivalence  classes.) 

3  Bounded  Non-Interactive  Zero-Knowledge  Proofs 

A  Bounded  Non-Interactive  Zero- Knowledge  Proof  System  is  a  special  algorithm.  Given  as  input  a 
random  string  o  and  a  single,  sufficiently  shorter  theorem  T,  it  outputs  a  second  string  that  will  convince 
(non-interactively  and)  in  zero- knowledge  that  T  is  true  any  verifier  who  has  access  to  the  same  a.  It 
is  important  in  this  process  that  a  “brand  new”  random  string  is  employed  for  each  theorem.  The  word 
“bounded”  refers  to  the  fact  that  if  the  same  a  is  used  over  and  over  again  for  convincing  the  verifier  of 
the  validity  of  many  theorems,  the  produced  non-interactive  proofs  may  no  longer  be  zero-knowledge. 

Definition  3.1  Let  Ax  and  A2  be  Turing  Machines.  We  say  that  (Ai,  A3)  is  a  sender-receiver  pair  if 
their  computation  on  a  common  input  x  works  as  follows.  First,  algorithm  Ax,  on  input  x,  outputs  a 
string  mx.  Then,  algorithm  A2,  computes  on  inputs  x  and  mx  and  outputs  ACCEPT  or  REJECT.  If 
(Ai,  Aj)  is  a  sender-receiver  pair,  A\  is  called  the  sender  and  Az  the  receiver.  The  running  time  of  both 
machines  is  calculated  only  in  terms  of  the  common  input. 

Thus,  mx  can  be  interpreted  as  a  message  sent  by  A\  to  A?. 

Notation.  In  our  sender-receiver  pairs,  the  output  of  the  sender  is  described  in  terms  of  s  “send  in¬ 
structions,”  where  s  solely  depends  on  the  input  length.  If  “send  vv  is  the  i-th  such  instruction,  this 
is  shorthand  for  “output  (*,»).”  Without  explicitly  saying  it,  the  receiver  always  checks  that  for  each 
i  =  l, ...,  s,  exactly  one  pair  with  first  entry  i  is  received.  If  this  is  not  the  case,  or  if  the  second  component 
of  a  pair  is  not  of  the  right  form  (i.e.  is  not  of  the  proper  length,  is  a  string  rather  than  a  set,  etc.),  the 
receiver  immediately  halts  outputting  REJECT.  Thus  if  “send  r”  is  the  i-th  instruction  of  the  sender, 
“check  that  t;  ...”  means  “check  that  the  second  component  of  the  pair  whose  first  entry  is  i  ...”  That  is, 
the  receiver  parses  without  ambiguity  the  sender’s  output. 

Definition  3.2  Let  ( Prover ,  Verifier)  be  a  sender-receiver  pair,  where  Prover(-,  •)  is  random  selecting 
and  Verifier (•,  •,  •)  is  polynomial-time.  We  say  that  ( Prover ,  Verifier ),  is  a  Bounded  Non- Interactive  Zero- 
Knowledge  Proof  System  (Bounded  Non-Interactive  ZKPS)  for  the  language  L  if  there  exists  a  positive 
constant  c  such  that: 
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1.  Completeness.  V*  €  Ln  and  for  all  sufficiently  large  n, 

Pr(o  4  {0, 1  }n‘;  Proof  4  Prover  (<7,x):  Verifier  (a,  x,  Proof)  =  1)  >  2/3. 

2.  Soundness.  V*  £  XB,  for  all  Turing  machines  Prouer'f-,  •),  and  for  all  sufficiently  large  n, 

Pr(o  4  {0,  l}"e; Proo/  4  Prover'(<r,x):  Verifier(<r,x, Proof )  =  1)  <  1/3. 

3.  Zero-Knowledge.  There  exists  an  efficient  algorithm  S  such  that  Vx  €  Ln,  for  all  efficient  non- 
uniform  (distinguishing)  algorithms  D,  'id  >  0,  and  all  sufficiently  large  n, 

|Pr(«  4  Vie w(n,x)  :  Dn(s)  =  1)  -  Pr(s  4  S(ln,x)  :  Dn(s)  =  l)j  <  n~d, 

where 

View(n,x)  =  {cr  4  {0,  l}n<:;  Proof  4  Prover(<r,x ):  (<r,Proo/)}. 

We  call  Simulator  the  algorithm  5. 

We  define  the  class  of  languages  Bounded- NIZK  as  follows: 

Bounded-NIZK  =  {L:  L  has  a  Bounded  Non-Interactive  ZKPS}. 

A  sender-receiver  pair  (Prover,  Verifier)  is  a  Bounded  Non-Interactive  Proof  System  for  the  language  L 
if  there  exists  a  positive  constant  c  such  that  completeness  and  soundness  hold  (such  a  c  will  be  referred 
as  the  constant  of  ( Prover ,  Verifier)).  We  let  Bounded  Non- Interactive  P  be  the  class  of  languages  L 
having  a  Bounded  Non-Interactive  Proof  System. 

We  call  the  “common”  random  string  a,  input  to  both  Prover  and  Verifier,  the  reference  string.  (Above 
the  common  input  is  a  and  x.) 

Discussion. 

Proving  and  Verifying.  As  usual,  we  do  not  care  of  what  amount  of  resources  are  necessary  for  proving  a 
true  theorem,  but  we  do  insist  that  verifying  is  always  easy.  Thus,  we  have  chosen  our  prover  as  powerful 
as  possible,  though  it  cannot  use  its  power  to  find  “long”  proofs,  since  the  verifier  is  polynomial-time  (in 
the  common  input). 

Arthur-Merlin  Games.  It  is  immediately  seen  that  the  notion  of  a  Bounded  Non- Interactive  Proof  System 
is  equivalent  to  that  of  a  two-move  Arthur-Merlin  Proof  System  [Ba,  BaMo].  Thus,  letting  AM?  denote 
the  class  of  languages  accepted  by  a  two-move  Arthur-Merlin  Proof  System,  we  have  Bounded-NIZK 
C  AM?.  Actually,  as  we  shall  prove  in  Section  5.5,  this  containment  is  an  equality  under  a  proper 
complexity  assumption. 

Probability  Enhancement.  As  for  the  case  of  BPP  algorithms  and  interactive  proofs,  the  definition  of 
completeness  and  soundness  is  independent  of  the  constants  2/3  and  1/3.  In  fact,  these  (or  other  “bounded 
away”)  probabilities  can  be  pumped  up  (and  down)  easily  by  repeating  the  proving  process  sufficently 
many  times,  each  using  a  distinct  segment  of  a  sufficiently  longer  reference  string.  This  process  is  called 
“parallel  composition.”  However,  as  noted  by  Micali  for  the  case  of  interactive  zero- knowledge  proofs, 
parallel  composition  may  also  enhance  the  amount  of  knowledge  released!  Indeed,  zero-knowledge  proofs 
do  not  appear  to  be  closed  under  parallel  composition.  The  reason  for  which  straightforward  parallel 
composition  fails  in  the  case  of  interactive  zero-knowledge  proofs  is  precisely  that  interaction  may  be 
exploited  in  subtle  ways  by  a  “cheating  verifier.”5  One  advantage  of  non-interactive  zero  knowledge  is 

'Elaborating  on  thin  anbtle  point  in  not  in  the  scope  of  this  paper.  For  an  explanation  of  it  (and  pointers  to  related 
results)  see  [BeMiOs]. 
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precisely  the  fact  that  one  does  not  have  to  worry  about  “cheating”  verifiers:  as  it  is  imniediately  seen, 
bounded  non- interactive  zero  knowledge  is  closed  under  parallel  composition. 

Completeness  means  that  (after  a  sufficient  enhancement)  the  probability  of  succeeding  in  proving  a  true 
theorem  T  is  overwhelming.  This  is  so  even  if  T  is  selected  after  the  string  o  has  been  chosen.  More 
precisely,  a  simple  counting  argument  shows  that  Completeness  is  equivalent  to  the  following 

1'.  Strong  Completeness.  For  all  probabilistic  algorithms  Choose-in-L(-)  that,  on  input  a  nc-bit  string, 
return  elements  in  Ln,  and  all  sufficiently  large  n, 

Pr(o  £-  {0,  l}nC;x  £■  Choose-in-L(o);  Proof  £  Prover(a,x)  :  Verifier(o,x ,  Proof )  =  1)  >  1  -  2"n. 

That  strong  completeness  holds  can  be  seen  by  first  using  parallel  composition  so  to  replace  the  probability 
2/3  of  Completeness  with  1  -  2-2n,  and  then  noticing  that  there  are  at  most  2n  theorems  of  length  n. 
Actually,  Completeness  can  be  replaced  by  a  simpler  yet  property.  Namely, 

1".  Perfect  Completeness.  Vx  €  Ln, 

Pr(cr  £  (0,  l}n<:;  Proof  Prover(o,x)  :  Verifier(<r,x,  Proof )  =  1)  =  1. 


In  fact, 

Theorem  3.3  Let  L  €  Bounded-NIZK.  Then  L  has  a  Bounded  Non-Interactive  ZKPS  with  perfect 
completeness. 

Proof:  Furer,  Goldreich,  Mansour,  Sipser,  and  Zachos  [FuGoMaSiZa]  have  proved  that  any  lan¬ 
guage  has  an  interactive  roof  system  with  perfect  completeness.  Let  now  (P,  V)  be  a  Bounded  Non- 
Interactive  ZKPS  for  L  for  which  Completeness  holds  with  overwhelming  probability.  Then  modify  P 
as  follows.  Whenever  the  proof  generated  by  P  is  not  accepted  by  the  verifier  (something  that  can  be 
easily  computed),  as  Bounded  Non-Interactive  P=  AAfj,  the  new  prover  interprets  the  reference  string 
as  an  Arthur  move,  and  responds  with  a  Merlin  move  so  to  achieve  perfect  completeness.  This  extra  step 
guarantees  that  the  verifier  will  always  be  convinced  (of  a  true  theorem),  and  thus  Perfect  Completeness 
holds.  It  is  immediately  seen  that  Soundness  keeps  on  holding.  Also  Zero  Knowledge  keeps  on  holding: 
the  extra  step  may  be  “dangerous,”  but  it  is  performed  only  too  rarely. 

Soundness  means  that  the  probability  of  succeeding  in  proving  a  false  theorem  T  is  negligible.  This  still 
holds  if  T  is  chosen  after  o  has  been  selected.  More  precisely,  a  simple  counting  argument  shows  that 
Soundness  is  equivalent  to 

2/.  Strong  Soundness.  For  all  probabilistic  algorithms  Adversary  outputting  pairs  (x,  Proof),  where 
x  $  Ln%  and  all  sufficiently  large  n, 

Pr(o  £-  {0, 1}”';  (x,  Proof)  £  Adversary(o) :  Vert fier(o,x,  Proof)  =  1)  <  2_n. 

Zero- Knowledge  guarantees  that  the  proof  gives  no  knowledge,  but  the  validity  of  the  theorem.  All  the 
verifier  may  see  in  our  scenario,  cr  and  Proof  can  be  efficiently  computed  with  essentially  the  same  odds 
without  “knowing  how  to  prove  T”. 

Notice  that  in  our  scenario,  the  definition  of  Zero- Knowledge  is  simpler  than  the  one  in  [GoMiRa].  As 
there  is  no  interaction  between  Verifier  and  Prover,  we  do  not  have  to  worry  about  possible  cheating  by 
the  verifier  to  obtain  a  “more  interesting  view”.  That  is,  we  can  eliminate  the  quantification  “V  Verifier'" 
from  the  original  definition  of  [GoMiRa]. 

Analogously  to  [GoMiRa],  we  may  define  a  bounded  non-interactive  proof  system  (Prover,  Verifier)  to  be 
Perfect  Zero- Knowledge  if  the  following  more  stringent  condition  holds: 
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Perfect  Zero-Knowledge.  There  exists  an  efficient  algorithm  5  such  that  Vz  €  Ln  and 'all  sufficiently 
large  n, 

Vie  w(n,x)  =  5(1”, z), 

where 

View(n,x)  =  {o  £  {0,1  }n‘;  Proof  <£.  Prover(o,x) :  (<r,Proo/)}. 


Thus  the  notion  of  perfect  ZK  is  independent  of  the  computing  power  of  “the  observer/distinguisher.” 
While  for  Completeness  and  Soundness  it  is  not  important  whether  the  true/false  theorem  is  chosen  before 
or  after  the  reference  string,  this  needs  not  to  be  the  case  for  Zero-Knowledge.  It  is  actually  important 
that  the  prover  chooses  the  true  theorem  T  he  wants  to  prove  independently  of  a.  This  in  practice  is  not 
a  restriction,  since  a  does  not  have  any  special  meaning.  The  sole  purpose  for  o  is  to  provide  a  common 
source  of  randomness,  and  thus  can  be  accessed  only  after  the  prover  has  chosen  which  theorem  to  prove, 
in  which  case  the  “independence”  condition  is  automatically  satisfied.  Should  the  prover  want  to  prove  a 
statement  “about”  the  reference  string  there  is  no  guarantee  that  no  knowledge  would  be  revealed,  while 
there  is  still  guarantee  that  the  statement  cannot  be  false. 


4  A  Bounded  Non-Interactive  ZKPS  for  a  special  language. 

Definition  4.1  Set  QH  =  U„  QR(n)  and  AfQR  =  UnA fQR(n)y  where 

QK(n)  =  {(a?,  y)  |  x  6  Regulor( 2),  |zj  <  n,  and  Qx{y)  =  0} 


and 

JV'QW(n)  =  {(z,y)  |  z  €  Regulor( 2),  \x\  <  n,  y  6  J}1,  and  Qr(y)  =  1}. 

If  one  restricts  the  modulus  z  in  the  definition  of  QR  and  AfQR  to  be  a  Blum  integer,  then  the  quadratic 
residuosity  assumption  states  that  it  is  hard  to  distinguish  the  languages  QR  and  AfQTl. 

For  z  €  Regular(2),  QRX  denotes  the  set  {y  |  (*,  y)  €  ©£}  and  NQRX  the  set  {y  \  (z,y)  €  ATQR}. 

Definition  4.2  If  (a,y)  €  AfQH  and  z  €  Jxl ,  we  say  that  s  €  Z*  is  an  ( x,y)-root  of  z  li  z  —  a2  mod  z 
or  zy  —  a3  mod  z.  (Notice  that  only  one  of  the  two  cases  may  apply.)  If  a  is  an  (z,  y)-root  of  z,  we  write 

In  this  section  we  prove  that  MQR  has  a  bounded  non-interactive  proof  system  that  is  perfect  zero- 
knowledge.  The  proof  system  below  is  based  on  an  earlier  protocol  of  Goldwasser  and  Micali  [GoMi2]. 

The  Sender-Receiver  Pair  (A,B) 


Input  to  A  and  B: 

•  ( x,y )  €  MQR{n) 

•  A  n3-bit  random  string  p. 

(Set  p  =  p,  p,  •  •  •  pn3 ,  where  each  pi  has  length  n.) 


Instructions  for  A. 


•  For  i  =  l,...,na,  if  p,  6  Jxl  then  randomly  choose  and  send 


Instructions  for  B. 


B.O  If  pi  £  J+1  for  less  than  3n  of  the  indices  i ,  then  stop  and  ACCEPT.  Else, 

B.l  Verify  that  x  is  odd  and  that  y  £  7+1.  If  not,  stop  and  REJECT.  Else, 

B.2  Verify  that  x  is  not  a  perfect  square.  If  not,  stop  and  REJECT.  Else, 

B.3  If  x  is  a  prime  power,  stop  and  REJECT.  Else, 

B.4  For  each  p,  £  J+l  verify  that  s,  =  (l,v^/pj.  If  not,  stop  and  REJECT.  Else  ACCEPT. 

Theorem  4.3  (A,  B)  is  a  Bounded  Non- Interactive  ZKPS  for  AfQ'R.. 

Proof:  First,  (A,B)  is  a  sender-receiver  pair.  Second,  B  runs  in  polynomial  time.  In  fact,  the  Jacobi 
symbol  can  be  computed  in  polynomial  time,  steps  B.2  and  B.4  are  trivial,  and  step  B.3  can  be  performed 
as  follows: 

B.3.1  Compute  the  largest  integer  a  for  which  x  =  wa  for  some  w  £  A/\  (Only  values  1,  •  •  • ,  |x|  should 
be  tried  for  a  and  a  binary  search  can  be  performed  for  finding  w,  if  it  exists.) 

B.3.2  Compute  z  such  that  za  =  x. 

B.3.3  If  for  all  1  <  i  <  n2,  TEST(z,pi)  =PRIME,  stop  and  REJECT. 

Third,  properties  1-3  of  a  Bounded  Non-Interactive  ZKPS  also  hold. 

Completeness.  We  actually  prove  that  strong  completeness  holds.  This  implies  that  the  weaker  property 
1  also  holds.  If  (x,y)  £  AfQH(n),  then  steps  B.l  is  trivially  passed.  Step  B.2  is  passed  because  of 
Fact  2.10.  B.3  is  passed  with  probability  greater  than  1  —  2-n.  This  can  be  argued  as  follows.  For  any 
fixed  Y  €  Regular( 2),  the  probability  that  TEST  outputs  PRIME  on  a  single  pi  is  at  mo6t  5/8,  and  thus 
(since  the  p,’ s  are  independent)  the  probability  that  B.3  is  not  successfully  passed  is  at  most  (5/8)"  . 
Since  there  are  at  mo6t  2"  x’s  such  that  (x,  z)  £  MQ7Z(n)  for  some  z,  the  probability  that  step  B.3  is  not 
successfully  passed  is  at  most  2"(5/8)"  <  2-n.  Finally,  step  B.4  is  passed  with  probability  1.  In  fact, 
as  x  €  Regular( 2),  by  Fact  2.11,  there  are  exactly  2  ~r  equivalence  classes  in  J+1.  That  is  either  p,  is  a 
quadratic  residue  modulo  x  or  p,  is  in  the  same  equivalence  class  as  y,  in  which  case  yp,  is  a  quadratic 
residue. 

Soundness.  As  done  for  the  completeness  property,  we  actually  prove  that  strong  soundness  holds. 

First,  observe  that  B  stops  at  step  B.O  only  with  negligible  probability.  Indeed,  for  a  fixed  Y,  the 
probability  that  pj  £  ji-1  is  greater  than  1/8.  By  the  Chernoff  bound  (see  [AnVa],  [ErSp]),  the  probability 
that  Pi  £  Jl 1  for  less  than  3n  of  the  indices  is  (for  large  n)  less  than  2-2n.  Thus,  the  probability  that 
there  is  a  x  for  which  B  stops  at  step  B.O  is  at  most  2"2-2n  =  2-n. 

Assume  that  (x,y)  £  AfQK.  Then,  either  (a)  x  £  Regular( 2)  but  Qx{y)  =  0,  or  (6)  x  0  Regular( 2).  For 
any  fixed  input  (x,y)  for  which  case  (a)  occurs,  the  probability  that  B.4  is  successfully  passed  is  at  most 
2~3n.  (In  fact,  B.4  is  passed  if  and  only  if  all  p,’s  are  quadratic  residues  modulo  x.)  Thus,  the  probability 
that  step  B.4  is  passed,  for  any  input  for  which  case  (a)  occurs,  is  at  most  2n2-3n  =  2_2n. 

Consider  now  the  case  that  (x,y)  £  A C QH  because  of  reason  (5).  Then  either  (b.l)  x  is  not  regular,  or 
(b.2)  x  £  Regular(l),  or  (6.5)  x  £  Regular(s)  for  s  >  3.  In  case  (6.1),  due  to  Fact  2.10,  an  odd  x  must  be 
a  perfect  square  which  would  be  detected  in  step  B.2.  In  case  (b.2),  x  is  a  prime  power  which  would  be 
detected  by  step  B.3.  Let  us  now  argue  case  (6.5).  For  any  fixed  (Y,y)  with  Y  £  Regular(s),  s  >  3.  the 
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probability  that  step  B.4  is  successfully  passed  is  at  most  2-n.  (In  fact  this  would  happen  only  if,  for  each 
pi  €  Jy1,  either  pi  or  piy  is  a  quadratic  residue  modulo  1.  This  happens  with  probability  <1/2  since, 
because  of  Fact  2.11,  there  are  at  least  4  equivalence  classes  in  *.)  Thus  the  probability  that,  for 
any  input  outside  AfQR  because  of  reason  (6.5),  step  B.4  is  successfully  passed  is  at  most  2Jn2-3n  =  2-n. 

Zero-Knowledge.  Let  us  specify  a  (simulating)  efficient  algorithm  M  that,  on  input  (x,y)  £  AfQ.1l, 
generates  a  random  variable  which  no  algorithm  can  distinguish  from  B'a  view  on  input  (x,y)  £  AfQR. 

M’s  program 


Input:  (x,y)  £AfQR(n). 

1.  Set  Proof  =  empty  string. 

2.  For  »  =  1  to  n2 

Randomly  select  an  n-bit  integer  Si,  with  possible  leading  0’s. 

If  Si  £  7+1  then  set  p,-  =  a,-, 
else 

Toss  a  fair  coin. 

If  HEAD  set  pi  =  sf  mod  x  and  append  Si  to  Proof. 

If  TAIL  set  pi  =  y~lSi  mod  x  and  append  to  Proof. 


3.  Set  p  —  P\-"Pn*. 

Output:  (p,  Proof). 

Now,  let  us  prove  that  M  is  a  good  simulator  for  the  view  of  B  when  interacting  with  prover  A  on 
input  (x,y)  £  AfQfR.  Actually,  in  the  language  of  [GoMiRa],  (A,B)  is  Perfect  Zero- Knowledge.  That 
is,  the  random  variable  output  by  M  is  the  very  same  random  variable  seen  by  B  (and  thus  the  two 
random  variables  cannot  be  distinguished  by  any  non-uniform  algorithm,  efficient  or  not).  In  fact,  it  can 
be  easily  seen  that  p  is  randomly  distributed  among  the  n3-bit  long  strings.  Moreover,  if  p,  £  J£l,  the 
corresponding  is  a  random  (x,y)-root  of  p,.  Thus  s,  has  the  same  probability  of  belonging  to  M’s 
output  as  it  has  to  be  sent  from  prover  A  to  verifier  B  on  inputs  (x,y)  and  p.  | 

Notice  that  the  proof  system  (A,  B)  does  not  have  Perfect  Completeness;  that  is,  there  is  a  negligible 
probability  that  the  prover,  following  the  protocol,  may  not  succeed  in  proving  a  true  theorem.  We 
can  achieve  Perfect  Completeness  and  still  retain  Perfect  Zero- Knowledge  at  the  expense  of  further 
complications  which  are  not  necessary  in  our  context. 

Robustness  Of  The  Result.  The  above  proof  system  is  zero-knowledge  if  the  reference  string  p  is  truly 
random.  We  may  rightly  ask  what  would  happen  if  p  is  not  truly  randomly  selected.  Fortunately,  we 
shall  see  that  the  poor  randomness  of  p  may  perhaps  weaken  the  zero-knowledgeness  of  our  proof  system, 
but  not  its  completeness  and  soundness.  In  fact,  all  we  require  from  p  is  that  it  contains  a  not  too  low 
percentage  of  quadratic  residue  and  non  residues  modulo  any  integer  in  Regular^ 2)  of  a  given  length. 
The  same  remark  applies  to  all  proof  systems  of  this  paper.  This  robustness  property  is  important  as  we 
can  never  be  sure  of  the  quality  of  our  natural  sources  of  randomness. 
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5  A  Bounded  Non-Interactive  ZKPS  for  3 SAT 


In  this  section  we  exhibit  a  Bounded  Non-Interactive  ZKPS  for  3SAT.  A  boolean  formula  $  =  A  A 
•  •  •  A  4>n  in  conjunctive  normal  form  over  the  variables  tix, u*,  where  each  clause  <f>i  has  3  literals,  is  in 
the  language  35 AT  if  it  has  a  satisfying  truth  assignment  t:  {«i,  ,  «*}  -»  {0, 1}  (see  [GaJo]  for  a  more 

complete  treatment).  If  $  6  3 SAT  we  say  that  $  is  3-satisfiable. 

The  following  definition  was  informally  introduced  in  [BIFeMi],  but  used  in  a  quite  different  way. 

Definition  5.1  For  any  positive  integer  x,  define  the  relation  »x  on  /+1  x  J+1  x  J+1  as  follows: 

(ax, a2, a3)  «x  (61,62,63)  <=>  a,  ~x  6j  for  t  =  1, 2,3. 

Let  (ai,a2,a3)  ssx  (6j , 62, 6s).  An  (ai,a2,a3)-root  modulo  x  (more  simply  an  (ai,a2,a3)-root,  when  the 
modulus  x  is  clear  from  the  context)  of  (61,62,63)  is  a  triplet  (sj,s2,s3)  such  that  (sj  mod  z,  mod  x, 
4  mod  x)  =  (ai6i  mod  x,  a262  mod  x,  a363  mod  x).  If  Qx(6i)  =  Qx( 62)  =  Qx{b^)  =  0,  a  square  root 
modulo  x  (more  simply  a  square  root,  when  the  modulus  z  is  clear  from  the  context)  of  (61,62,63)  is  a 
triplet  (si,s2,s3)  such  that  (s{  mod  z,s3  mod  z,s3  mod  x)  =  (61,62,63). 

From  Fact  2.11,  one  can  prove  the  following: 

Fact  5.1  For  each  integer  x  £  Regular(s),  fcsx  is  an  equivalence  relation  on  J+1  x  J+1  x  J+x  and  there 
are  23(*-1)  equally  numerous  wx  equivalence  classes. 

We  write  (ai,a2,a3)  96 x  (61,62,63)  when  (ai,a2,a3)  is  not  «x  equivalent  to  (6x562,63). 

We  now  proceed  as  follows.  In  Section  5.1,  we  describe  a  sender-receiver  pair  (P,V).  In  Sections  5.2, 
5.3,  and  5.4  we  will  prove  that  (P,  V)  is  a  Bounded  Non-Interactive  ZKPS  for  3 SAT. 

5.1  The  Sender-Receiver  Pair  (P,V) 

Input  to  P  and  V: 

•  a  random  string  por,  where  \p\  =  8n3  and  |r|  =  2n4; 

•  $  =  <6iA</>2A---A<£na  3-satisfiable  formula  with  n  clauses  over  the  variables  «i,  u2,  k  <  3  n. 


Instructions  for  P. 

P.l  Randomly  select  x  €  BL(n)  and  y  £  NQRX. 

P.2  “Prove  that  (x,y)  €  2n).” 

Send  the  auxiliary  pair  (x,  y)  and  run  algorithm  A  of  Section  4  on  inputs  (x,  y)  and  p.(Call  Proofs 
the  output.) 

P.3  “Prove  that  $  €  ZSAT .” 

Let  t:{ui,...,ujt}  — ♦  {0,1}  be  the  lexicographically  smallest  satisfying  assignment  for  $. 

Execute  procedure  Prove($,f,  x,y,r)  (see  below).  (Call  Proofs  the  output.) 
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Procedure  Prov($.t,x,y,r) 

“$  =  4>\  A  4>2  A  •  •  •  A  <f>n  is  a  3-satisfiable  formula  with  n  clauses  over  the  variables  tij ,  u2> u*,  k  <  3n. 
t:  {tit,  — *■  {0,1}  is  a  truth  assignment  satisfying  (x,y)  €  NQH{2n)  and,  moreover,  x  €  BL(n). 

r  is  a  2n4-bit  long  string.” 
begin{Prove} 

1.  “Break  r  into  members  of  J+l.” 

Consider  r  as  the  concatenation  of  n3  2n-bit  integers.  If  there  are  less  than  33n2  integers  in  J 
then  stop.  Else,  let  r1,...,r33nj  be  the  first  33n2  integers  belonging  to  J+l. 

2.  “Assign  triplets  of  elements  with  Jacobi  symbol  +1  to  clauses.” 

Group  the  r,’s  in  lln2  triplets  (r, , ^ ,  r3 ), (r4 , r5 ,  rg  ),....  The  first  lln  triplets  are  assigned  to  <Ai, 
the  second  lln  triplets  are  assigned  to  <f> 2,  and  so  on. 

3.  “Label  the  formula  4».” 

For  each  variable  Uj,  randomly  select  rj  6  Z*  and  compute  the  pairs  ( Uj,Wj )  and  (Uj,yu>jmod  x), 
where 

J  r2  mod  x  if  t(uj)  =  0  and 
w*  ~  |  yr2  mod  x  if  t(«j)  =  1. 

We  refer  to  these  pairs  as  the  labeling  of  $  and  to  w3  ( ywj  mod  x)  as  the  label  of  the  literal  uj  (Uj). 

“Since  y  is  a  quadratic  non  residue,  by  Fact  2.1,  yr2  is  a  quadratic  non  residue.  Therefore  the  label 
of  a  literal  is  a  quadratic  non  residue  iff  the  literal  is  true  under  t.” 

Send  the  labeling  of  $. 

4.  “Prove  that  $  is  satisfiable.” 

For  each  clause  <f>  of  $  do: 

•  “Randomly  select  the  verifying  triplets.” 

Let  (ai,/3j,7i)  be  the  labels  of  the  three  literals  of  <f>. 

Choose  at  random  7  triplets  (a2,/?2,72),...,  (c»8>/%>78)  in  •Z*’1  x  J +1  x  J£l  such  that 

(а)  (a,,A,7«)  (a„  A,7j)  for  1  <  »  <  j  <  8,  and 

(б)  Qt(a 2)  =  Q,(fo)  =  flx( 7a)  =  0. 

Send  (ai, A, 71 ),..., (a8, /?8, 7s)- 

The  triplets  ( ai,/h,iri ), ...» (as, /38,7s)  are  the  verifying  triplets  of  <j>. 

“We  omit  writing  (af,/?f, 7*),...,  (ag,/3g,7g)  not  to  overburden  our  notation,  hoping  that 
clarity  is  maintained.” 

•  “Prove  that  (<*2, $2,72)  made  of  quadratic  residues.” 

Randomly  choose  and  send  (51,32,^3),  a  square  root  of  (02,  A,  72)- 

•  For  each  of  the  assigned  triplets  (21, *2, *3)  of  <f> ,  choose  *,  1  <  t  <  8,  so  that  (21,22,23)  as* 
(a,-,  A', 7i).  Randomly  choose  and  send  a  (a,,  A,  7i)-root  of  (21,22,23). 

end{Prov«} 

Instructions  for  V. 

“V  receives  from  P  the  auxiliary  pair  (x,y)  and  two  strings  Proofi  and  Proofs .” 
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V  O  Compute  n  from  por  and  verify  that  $  has  at  most  n  clauses  and  each  of  them  has  three  literals. 
If  not,  stop  and  REJECT.  Else, 

V.l  Run  algorithm  B  of  Section  4  on  inputs  p,  ( x,y ),  and  Proof\. 

If  B  stops  and  rejects,  stop  and  REJECT.  Else, 

V.2  If  CheckJ>rove($,x,y,r,Proo/2)=ACCEPT  then  ACCEPT,  else  REJECT. 

Procedure  CheckJ,rove($,i,j/,r,Proo/2) 

=  fa  a  fa  A  •  •  •  A  fa  is  a  formula  with  n  clauses  over  the  variables  ttj ,  u2, ...,  ufc.  x,  y  are  2n-bit  integers, 
r  is  a  2n4-bit  long  string.  Proofs  is  a  string.” 

begin{Check_Prove} 

1.  “Verify  that  the  assigned  triplets  are  proper.” 

Consider  r  as  the  concatenation  of  n3  2n-bit  integers.  If  there  are  less  than  33n2  integers  in  J+1 
stop  and  ACCEPT.  “This  happens  with  very  low  probability.”  Else,  let  r,,...,  7-33*1  be  the  first 
33n2  integers  belonging  to  7+1 . 

Group  therein  lln2  triplets  .  The  first  lln  triplets  are  assigned  to  fa,  the 

second  lln  triplets  are  assigned  to  fa,  and  so  on.  Verify  that  they  have  been  properly  computed 
by  P. 

2.  “Verify  that  $  has  a  proper  labeling.” 

For  each  variable  uj,  verify  that  the  label  of  the  literal  TT,  is  equal  to  the  label  of  the  literal  uj 
multiplied  by  y  modulo  x, 

3.  For  each  clause  <f>  of  $  do: 

3.1  Let  (ai,/?,,7i),  i  =  1,  ...,8,  be  the  verifying  triplets  of  <f>  sent  by  P. 

3.2  Verify  that  (<*i,/?i,7i)  is  formed  by  the  labels  of  the  three  literals  of  <f>. 

3.3  Verify  that  (si,s2,S3)  is  a  square  root  of  (a2,/32,72). 

3.4  Verify  that  for  each  assigned  triplet  (zj ,  z2,  z3)  of  <f>,  you  received  a  (a,,  /?,,  7,)-root  of  (zj,  z2,  z3), 
for  some  1  <  i  <  8. 

4.  If  all  the  above  verifications  have  been  successfully  made,  return  ACCEPT  otherwise  return  RE¬ 
JECT. 

end{CheckJProv«} 

5.3  (PjV)  is  a  Bounded  Non-Interactive  Proof  System  for  3SAT 

First,  notice  that  (P,  V)  is  a  sender-receiver  pair.  Further,  all  checks  of  V  can  be  performed  in  polynomial 
time,  since  only  simple  algebraic  computations  modulo  x  and  a  scanning  of  the  strings  p  and  r  are  needed. 

Completeness.  The  same  reasoning  done  in  Theorem  4.3  shows  that  the  probability  that  V  does  not 
REJECT  at  step  V.l  is  overwhelming.  Let  us  now  consider  step  V.2.  The  verification  of  the  proper 
labeling  of  $  is  always  passed .  Since  t  is  a  satisfying  truth  assignment  for  $,  each  clause  <f>  has  at  least 
one  literal  true  under  t.  This  implies  that  the  label  of  <t>  contains  at  least  one  quadratic  non  residue. 
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Because  of  this,  and  because  there  are  8  «x  equivalence  classes,  P  can  compute  8  verifying  triplets 
satisfying  properties  (a)  and  ( b ).  Moreover,  since  each  »x  equivalent  class  contains  a  verifying  triplet, 
each  assigned  triplet  is  ssx  equivalent  to  some  (otj ,  )  and  thus  possesses  an  (a,, ft, 7,)-root.  Therefore, 

if  check  V.l  is  passed,  so  is  check  V.2. 

Soundness.  A  honest  prover  chooses  the  pair  (x,y)  randomly.  A  cheating  one,  though,  may  choose  this 
pair  as  function  of  the  reference  string.  All  arguments  below  have  thus  the  following  form.  First,  we 
compute  the  probability  that  the  verifier  can  be  mislead  with  a  fixed  pair,  and  show  that  this  probability 
is  suitably  small.  Then,  we  prove  that,  even  summing  up  over  all  possible  choices  of  pairs,  we  still  obtain 
a  small  probability. 

Assume  that,  in  a  computation  with  a  cheating  prover  Prover ',  V  accepts  a  formula  $  £  3SAT.  Then, 
one  of  the  following  3  events  must  happen:  (a)  the  pair  (x,y)  chosen  by  Prover'  is  not  in  fSQH(2n),  (6) 
( x,y )  €  AfQTZ(2n),  but  Verifier  accepts  at  step  1  of  Check_Prove,  and  (c)  (x,y)  €  AfQR(2n),  Prover1 
does  not  stop  at  step  P.l  in  Prove,  but  $  is  not  3-satisfiable.  We  shall  prove  that  each  of  these  events  is 
very  improbable.  The  probability  that  (a)  occurs  has  already  been  computed  in  Theorem  4.3)  and  shown 
to  be  exponentially  vanishing  in  n.  Now,  consider  event  ( b ).  For  each  fixed  x  €  Regular(2),  \x\  <  n,  since 
each  r,  has  probability  >  1/8  to  be  in  J^1,  we  expect  n3/ 8  such  elements  in  j£l.  By  the  Chernoff  bound 
(see  [AnVa],  [ErSp]),  the  probability  that  no  more  than  33n2  belong  to  J^1  is,  for  large  n,  at  most  e~n  . 
Thus,  the  probability  that  there  is  an  integer  x  such  that  case  (6)  occurs  is,  for  large  n,  at  most  22ne-n2. 
Let  us  now  consider  event  (c).  If  (c)  occurs,  then  the  following  event  ( d)  must  also  occur:  at  least  lln 
consecutive  assigned  triplets  (r,-,  r,+i,  r;+2)  must  belong  to  the  union  of  7  «x  equivalence  classes.  In  fact, 
if  $  is  not  satisfiable,  for  every  labeling  of  $,  one  of  its  clauses  is  labeled  with  a  triplet  of  quadratic 
residues.  (Else,  all  clauses  would  be  satisfiable.)  Let  <f>  be  such  a  clause.  Since  verification  step  3.3  must 
be  passed,  Prover'  must  exhibit  a  square  root  of  (o:2>ft>72)>  and  thus  this  triplet  is  «x  equivalent  to  4>'s 
label,  (ax,ft,7i).  Thus,  ail  verifying  triplets  of  4>  are  contained  in  the  union  of  at  most  7  «x  equivalence 
classes.  Since  each  (rj,  r,+i,  ri+2)  is  proved  in  step  3.4  to  be  «x  equivalent  to  one  verifying  triplet,  then 
event  ( d)  must  be  true.  The  probability  of  event  (<f)  is  at  most  8n(0.93)n.  (Indeed,  for  each  fixed  1  the 
probability  that  at  least  lln  assigned  triplets  belong  to  the  union  of  7  equivalence  classes  is  less  than 
8n(7/8)Un;  this  can  be  explained  as  follows:  7/8  is  the  probability  that  each  triplet  belongs  to  the  union 
of  7  fixed  equivalence  classes,  there  are  lln  triplets,  there  are  at  mo6t  (®)  =  8  ways  to  choose  7  classes 
out  of  8,  and  there  are  n  clauses  altogether.  Therefore,  the  probability  that  there  exists  an  integer  x  such 
that  case  (d)  occurs  is  at  most  22n8n(7/8)n"  <  8n(0.93)".)  This  concludes  the  proof  of  soundness. 

Remark:  (P,  V)  can  also  be  modified  in  the  same  way  as  (A,  B)  can  be  modified  so  to  achieve  perfect 
completeness.  This  is  the  reason  why  the  verifier  in  step  1  of  Check  .Prove  accepts  if  there  are  less  33n2 
integers  in  Jxx.  Notice  also  that  the  prover  need  not  have  infinite  computing  power.  In  fact,  an  efficient 
algorithm  can  perform  all  required  computations  provided  that  it  has  as  an  additional  input  the  satisfying 
assignment  for  $. 

We  show  now  that  the  Proof  System  {P,V)  is  also  Zero-Knowledge  over  3 SAT.  We  first  exhibit  a 
simulator  for  V’s  view  and  then  prove  that  it  works. 

5.3  The  Simulator 

The  following  algorithm  5,  on  input  a  formula  $  €  3 SAT  (but  not  a  satisfying  assignment  for  $)  generates 
a  family  of  random  variables  that,  under  the  QRA,  no  efficient  non-uniform  algorithm  can  distinguish 
from  the  view  of  V.  Notice  that  the  view  of  V  consists  of  a  quadruple  (por,(x,y),  Proofi,  Proof?);  thus, 
the  task  of  the  simulator  is  to  produce  a  quadruple  that  cannot  be  distinguished,  under  the  QRA,  from 
a  correct  quadruple.  Looking  ahead,  the  two  crucial  points  in  the  strategy  of  the  simulator  are: 


16 


1.  To  choose  the  auxiliary  pair  (x,y)  so  that  x  6  BL(n)  but  y  is  a  quadratic  residue  modulo  x. 

2.  To  choose  a  portion  of  the  reference  string  not  at  random.  Rather,  select  it  among  the  strings  that 
do  not  contain  any  quadratic  non  residue  modulo  x  in  •4+1- 

This  strategy  is  viable  because  the  simulator  can  choose  the  reference  string  (which  is  instead  fixed  for 
the  prover)  and  because  it  is  hard  to  distinguish  between  random  members  of  J+1  and  random  quadratic 
residues  modulo  x. 

For  a  clearer  presentation  S' s  program  has  been  broken  down  into  procedures.  To  give  an  informal  help  in 
reading  these  procedures,  we  write  z1  for  a  value  computed  by  the  simulator,  when  we  want  to  emphasize 
that  this  value  is  “fundamentally  different”  from  the  “corresponding”  value  z  computed  by  the  prover  P, 
though  an  exponentially  long  computation  may  be  required  to  determine  this  fact. 

S’s  program 

Input:  a  3-satisfiable  formula  $  =  <t>\  A  A  •  •  •  A  <j>n  over  the  variables  ttj,  U2,  •  •  • ,  Uk,  k  <  3 n. 

1.  Randomly  select  two  n-bit  primes  p,q  =  3  mod  4  and  set  x  =  pq. 

Randomly  select  r  £  Z*  and  set  y1  =  r2  mod  x.  “Call  (x,^)  the  auxiliary  pair.” 

2.  Execute  procedure  Gen_p_and_Proof  l(x,  y')  obtaining  the  strings  p!  and  Proofs. 

3.  Generate  a  random  2n4-bit  string  r. 

4.  Execute  procedure  G«n_Proof2($,  x,i/,p,q,T)  obtaining  the  string  Proof 2. 

Output:  (/>'  o  r,(x,y'),Proo/i,Proo/2) 

Procedure  Gen_p_and_Proof  l(x,  y) 

“This  procedure  is  used  both  by  the  simulator  5  and,  later  on,  by  some  probabilistic  algorithm.  In  any 
call,  x  £  BL(n)  and  y  £  J+1.  When  the  procedure  is  called  by  the  simulator  5,  y  is  a  quadratic  residue 
modulo  x.” 

begin  {Gen_p_and_Proof  1 } 

1.  Set  Proof i  =  empty  string. 

2.  For  t  =  1  to  4n2 

Randomly  select  a  2n-bit  integer  s,,  with  possible  leading  Os. 

If  »i  Jgl  then  set  pi  —  s,-. 
else 

Toss  a  fair  coin. 

If  HEAD  then  set  p,  =  s2  mod  x  and  append  s,  to  Proof\. 

If  TAIL  then  set  pi  =  y-1a?  mod  x  and  append  s,  mod  x  to  Proof\. 


3.  Set  p  =  p\  -  pAn*. 

4.  Return(p,  Proofi) 
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end  {  G«n_p_and_Proof  1 } 

Let  us  now  see  that  sometimes  G«n_p_and_Proof  1  “generates  what  the  legitimate  prover  would  gen¬ 
erate”. 

Lemma  5.1  Define  Spac«l(x,y)  as  the  probability  space  generated  by  the  output  of  Gen_/>_and_Proof  1 
on  input  x,y.  Then,  for  all  x  G  BL{n )  and  y  G  NQRX 

Spacel {x,y)  =  {/>  4-  {0,  l}8”3;  Proofs  £  PJ>roofl{x,y,p):  (p,Proo/i)j 

where  PJProof  1  is  P’s  procedure  to  compute  Proof \  (i.e.  step  P.2). 

Proof.  Fix  x  €  BL(n)  and  y  G  NQRX.  It  can  be  easily  seen  that  the  first  component  of  Gen_p_and_Proof  1  ’s 
output  is  randomly  distributed  among  the  8n3-bit  long  strings.  Moreover,  if  pi  G  Jfl ,  the  corresponding 
Si  is  a  random  (x,y)-root  of  px.  Thus  s;  has  the  same  probability  of  belonging  to  G«n_/)_and_Proof  1  ’s 
output  as  it  has  to  be  sent,  at  step  P.2,  from  prover  P  to  verifier  V  on  inputs  (x,y)  and  p.  | 

Procedure  Gen_Proof 2($, x, y', p,q,r) 

“This  procedure  is  used  both  by  the  simulator  5  and,  later  on,  by  some  probabilistic  algorithm.  In  any 
call,  x  G  BL(n),  x  —  pq,  and  y'  G  QRX-  It  returns  a  string  Proof2  that  “proves”  that  the  formula 
$  =  fa  a  fa  A  ...  A  4>n  is  3-satisfiable  using  the  string  r  and  the  pair  (x,  y')  even  without  knowing  any 
satisfying  assignment  for 
begin (Gen -Proof 2} 

0.  Set  Proofi  =  empty  string. 

1.  Consider  r  as  the  concatenation  of  n3  2n-bit  integers.  If  there  are  less  than  33n2  integers  in 
stop.  Else,  let  Tx,...,r33n a  be  the  first  33n2  integers  belonging  to  J+1. 

Group  the  ry’s  in  lln2  triplets  (r1,ra,r3),(rt,T5,r, ),....  The  first  lln  triplets  are  assigned  to  <f>  1, 
the  second  lln  triplets  are  assigned  to  fa,  and  so  on. 

2.  For  each  variable  u,,  randomly  select  Wj  G  NQRX  and  label  the  literal  uj  with  Wj  and  the  literal 
1 Ij  with  y'xvj  mod  x. 

“Since  y'  is  a  quadratic  residue,  all  labels  are  quadratic  non  residues.” 

Append  the  labeling  of  $  to  Proof 2. 

3.  For  each  clause  <f>  of  9  do: 

•  Let  a\,Pi,  and  71  be  the  labels  of  the  three  literals  of  fa  Thus,  c*i,/9i,7i  G  NQRX. 

Choose  at  random  7  triplets  (02,  (h,  72),  (qs,/?s,78)  in  J+1  xJ*1  x  J+l  such  that  (a*,  ft,  7,)  $x 

(a;,/?y,7y),  for  l  <  i  <  j  <  8  and  Qx(a2 )  =  Qx(0 2)  =  Qx( 72)  =  0. 

Append  the  triplets  (ai, ft, 71 ),...,  (ag.ft^g)  as  the  verifying  triplets  of  4>  to  Proof2. 

•  Randomly  choose  and  append  a  square  root  of  (c*2,/?2*72)  to  Proof2. 

•  For  each  of  the  assigned  triplets  {z\,z2,*3)  of  <t>,  choose  i,  1  <  i  <  8,  so  that  (zi,z2,Z3) 
(a,,/Jj,7j).  Randomly  choose  and  append  an  (a;,ft,7<)-root  of  (zi,z3,z3)  to  Proof2. 


4.  Return( Proof?) 


end  {  Gen_Pr  oof  2  } 

Lemma  5.2  Algorithm  5  is  efficient. 

Proof:  The  main  body  and  procedure  Gen_/>_and_Proof  1  are  computationally  trivial.  The  first  two  steps 
of  procedure  GenJ,roof2  are  also  quite  easy  as,  due  to  Fact  2.9,  generating  a  random  quadratic  non 
residue  in  J+1  is  easy  when  x  £  BL.  Let  us  now  see  that  also  step  3  can  always  be  completed,  and 
efficiently  as  well.  Given  that  the  first  verifying  triplet  has  been  chosen  to  be  composed  by  quadratic 
non  residues  in  and  the  second  by  quadratic  residues,  it  is  certainly  possible  to  choose  the  other  6 

verifying  triplets  so  that  all  of  them  belong  to  8  distinct  ssx  equivalence  classes.  Moreover,  given  that 
the  factorization  of  x  is  an  available  input,  the  remaining  part  of  step  3  can  be  efficiently  executed.  | 

5.4  (P,V)  is  Zero-Knowledge 

Theorem  5.2  Under  the  QRA,  (P,V)  is  a  Bounded  Non-Interactive  ZKPS  for  3S-AT. 

Proof.  All  that  is  left  to  prove  is  that  (P,  V)  satisfies  the  Zero- Knowledge  condition.  We  do  this  by 
showing  that  algorithm  S  of  the  previous  section  simulates  the  view  of  the  verifier  V. 

We  proceed  by  contradiction.  Assume  that  there  exists  a  positive  constant  d,  an  infinite  subset  I  C  A/-, 
a  set  {$n}n&r  such  that  each  $n  is  a  3-satisfiable  formula  with  n  clauses,  and  an  efficient  non-uniform 
“distinguishing”  algorithm  {L>n}n«r  such  that  for  all  nd 

|Ps(n)  -  Pv(n) |  >  n~d , 

where  Ps(n)  =  Pr(s  <2.  Svl",$n):  Dn(s)  =  1)  and  Pv(n)  =  Pr(a  £  V»ew(n,$n):  L>n(3)  =  1). 

We  derive  a  contradiction  by  showing  an  efficient  non-uniform  algorithm  {C„}n*T  violating  the  QRA.  On 
input  randomly  chosen  x  €  BL(n )  and  y  €  Jx *,  Cn  constructs  a  string  SAMPLE  which  is  distributed 
according  to  5(1”,  <$„)  if  y  €  QRX,  and  according  to  View($n)  if  y  €  NQRX.  Thus,  as  the  non-uniform 
algorithm  {On}n<j  is  assumed  to  distinguish  the  two  probability  spaces,  this  is  a  violation  of  QRA. 

The  Algorithm  Cn 

“Cr»  has  “wired-in”  a  formula  $n  along  with  t,  the  lexicographically  smallest  satisfying  truth  assignment 
for  $n,  a  description  of  D„,  and  the  probabilities  Pj(n)  and  Pv(n).” 

Input:  ( x,y )  such  that  x  €  BL{n)  and  y  6  J * 

1.  Execute  procedure  G«n./>_and_Proof  l(x,y),  thus  obtaining  p  and  Proof\. 

2.  Execute  procedure  SaBpia_r.and.Proof2($n?{tZ,  y),  thus  obtaining  r  and  Proofo. 

3.  Set  SAMPLE  =  (p  o  r,(x,y),  Proof i,  Proof 2). 

4.  If  Dn(S AMPLE)  =  1  then  set  b  =  1  else  6  =  0. 

5.  If  Ps(n)  >  Pv(n)  then  Output(6)  else  Output(l  -  6). 

EaMfidHIS  Sample.r _and_Proof  2($,  t, x, y) 

=  fa  a  A  •  •  •  A  <6n  i8  a  3-satisfiable  formula  with  n  clauses  over  the  variables  t»i,  112,  •  •  • ,  tt*,  k  <  3 n. 
t :  ,«fc}  {0,1}  is  a  satisfying  truth  assignment  for  $.  x  6  BL(n)  amd  y  €  Ji’1” 

begin  {Sample.r _and_Proof  2} 
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1.  For  i  =  1  to  n3  do: 

randomly  select  a  2n-bit  integer  r;  (with  possible  leading  0’s) 
if  r,  £  J+1  then  set  s,  =  r; 

else  toss  a  fair  coin:  if  HEAD  then  set  Si  =  r?  mod  x;  if  TAIL  then  set  =  -r2  mod  x. 

2.  Set  Proof 2=  empty  string. 

3.  Let  ji,  •••»  J33nJ  be  the  indices  of  the  first  33n2  s,’s  belonging  to  J+1 . 

If  there  are  less  than  33n2  such  integers  set  r  =  si  •  •  •  sni  and  stop. 

Else,  set  r,-  =  a,  for  all  indices  i  not  in  0i,...,j33n»}- 

4.  Group  the  j<’ s  in  lln2  triplets  •  Assign  the  lln2  triplets  to  the  clauses  in 

the  following  way:  the  first  lln  triplets  are  assigned  to  the  first  clause,  4> i,  the  second  lln  triplets 
are  assigned  to  the  second  clause,  <f>2,  and  so  on. 

5.  For  each  variable  Uj ,  randomly  select  Vj  €  Z*  and  assign  the  label  Wj  to  the  literal  Uj  and  the  label 
yWj  mod  x  to  the  literal  ¥j,  where 

{—vj  mod  x  if  t(uj)  =  1  and 
-yvj  mod  x  if  t{uj)  =  0. 

Call  the  labeling  of  $.  Append  &  to  Proof 2. 

6.  For  each  clause  <f>  of  i  do: 

•  Let  -yaa  mod  x,-yb2  mod  x,-c2mod  x  be  the  label  of  the  three  literals  of  <f>,  and  a,6,c 
previously  computed  values  in  Z*. 

“We  consider  only  one  case,  not  to  overburden  our  notation.  The  other  cases  are  treated 
similarly.” 

•  Randomly  choose  21  elements  Qi, 61, ct, •••, <27, hr, cr  6  Z*,  and  construct  the  following  8 
triplets 

(~ya2mod  x,-yh2mod  Xj-t^mod  x) 

(a2  mod  x,h2mod  x,c2mod  x) 

(a^  mod  x,—  fe2mod  x,c\  mod  x) 

(03  mod  x, -62  mod  x,-c2mod  x) 

(-oj  mod  x,62mod  x^mod  x) 

(-a2  mod  x, 62 mod  x,-c2mod  x) 

( -a|  mod  x,  -b\  mod  x,  c\  mod  x) 

{yaj  mod  x,y62mod  x,-c2mod  x). 

•  Construct  the  8  verifying  triplets  of  0  as 

(ai,0i, 71)  =  (~ya2  mod  x^-yt/2  mod  x,  -c2  mod  x) 

(<*2>02,72)  =  (®? mod  x,hJmod  x,cf  mod  x) 

Randomly  permute  the  remaining  6  triplets  and  assign  them  to  (03, 03, 73),...,  (as,  0s,  7s)- 
Append  (ai,0i, 71 ),...,  (ars,08,7s)  to  Proof2. 

•  Append  the  triplet  (<*i,hi,ci)  to  Proofj  as  a  square  root  of  (a2f02>72)> 
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•  For  each  of  the  assigned  indices  of  <f>, 

Randomly  choose  one  of  the  8  verifying  triplets,  say  («*;,/?*, 7*). 

Randomly  choose  vi,V2,V3  6  Z*  and  set  rj,  =  uja*  mod  z,  ti7  =  v\fik  mod  z,  and 
ti3  =  v^k  raod  x- 

Compute  and  append  to  Proo/2  (uiafcmod  z,t>2/?fcmod  z, 1^7*  mod  z)  as  an  ( ak,0k,'lk )- 
root  of  (Th,Th,Tl3). 

•  Set  r  =  r,  •  •  •  rn3 . 

7.  Return(r,  Proof 2). 

end  {  Sampl  e_r  _and  .Proof  2  } 

There  is  no  question  that  {Cn}n«i  is  an  efficient  non-uniform  algorithm.  Let  now  Space2($n,  t,z,y)  be 
the  probability  space  generated  by  the  output  of  Sample_r_andjJroof2  on  input  $n,t,z,y.  Then,  for  all 
n  €  I  and  for  all  z  €  BL(n),  Space2($n,  t,x,  y)  is  equal  to 


{r  £-  {0,l}2n‘;  Proofs  Prove($n,  t,z,y,r) :  (r,Proo/2)}  if  y  G  NQRX  and 

{r  £  {0,l}2n<;  Proo/2  £  GenJ>roof2($n,  x,y,p,q,r):  (r,Proo/2)}  if  y  6 


where  p,  <7  are  the  prime  factors  of  z. 

To  see  (*),  notice  that  if  y  €  NQRX  then  the  label  Wj  assigned  to  each  literal  u,  by  C„  is  a  random 
element  selected  from  either  NQRX  or  QRX  depending  on  whether  1{uj)  is  true  or  false,  respectively  (this 
is  the  same  computation  performed  by  Prove).  If  y  €  QRX  then  the  label  Wj  of  literal  Uj  is  always  a 
random  element  selected  from  NQRX  (in  the  same  way  as  GenJProof2  computes  it).  In  both  cases  the 
label  of  Uj  is  ywj  mod  z. 

Regardless  of  the  quadratic  residuosity  of  y  modulo  z,  for  each  clause  <f>  of  $,  the  8  verifying  triplets  of  <f> 
computed  by  Cn  are  always  selected  at  random  among  the  triplets  of  elements  in  7+1  that  are  pairwise 
not  equivalent,  the  first  triplet  consists  of  the  labels  of  the  three  literals  of  <f>,  and  the  second  triplet 
is  made  of  three  quadratic  residues. 

The  string  r  output  by  Cn  is  truly  random  (regardless  of  the  quadratic  residuosity  of  y  modulo  z).  Indeed, 
each  r,  is  randomly  selected  from  the  2n-bit  long  strings,  and  independently  of  the  remaining  Tj ’s. 
Finally,  for  each  clause  and  each  of  its  assigned  triplets  ,  r/3 )  the  corresponding  (tqat  mod  z, 

v?0k  mod  z,  i>37*  mod  z)  is  a  random  (a*,/3*,7*)-root  of  (t/,  ,7"(,,r/s).  This  completes  the  proof  of  (*). 
Since  SAM PLE  =  (por,(z,y),  Proofi,  Proof 2),  because  of  (*)  and  because  of  Lemma  5.1,  for  randomly 
selected  z  €  BL(n)  and  y  €  Jxl,  SAMPLE  is  distributed  as  V»eto($n)  if  y  €  NQRX  and  as  5(1",  $n) 
if  y  €  QRX.  Given  our  assumption  about  the  efficient  non-uniform  algorithm  {Z?n}neX»  it  is  immediately 
seen  that,  for  all  n  €  2,  Pr(x  £-  BL(n)\  y  J+1  :  Cn(z,y)  =  Qx(y))  >  1/2+  1/(2 nd)  which  contradicts 
the  QRA.  | 


Remark:  the  reader  is  encouraged  to  verify  that  if  the  same  reference  string  <7  and  the  same  (z,y)  are 
used  by  the  prover  to  prove  that  two  formulae  $  and  $  are  3-satisfiable  then  “extra  knowledge  may  leak”. 
For  instance,  that  there  exist  a  satisfying  assignment  for  $  and  and  a  satisfying  assignment  for  $  for 
which  the  literal  in  $  and  the  literal  62  in  $  have  the  same  truth  value. 

The  moral  is  that  one  must  be  careful  when  using  the  same  set-up,  i.e.  common  reference  string  and 
the  same  pair  (z,y),  to  prove  an  “unlimited”  number  of  formulae  to  be  satisfiable.  This  is  indeed  the 
goal  of  Section  6. 
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5.5  Arthur-Merlin  Games  and  Bounded  Non-Interactive  Zero  Knowledge 
Theorem  5.3  If  35 AT  £  Bounded-NIZK ,  then  Bounded-NIZK  =  AM2. 

Proof.  Since  Bounded-NIZK  C  Bounded  Non- Interactive  P  =  AM2,  it  only  remains  to  show  that  AM2  C 
Bounded-NIZK.  For  L  £  AM2  define  the  language  V  =  U„L'(n),  where 

L'(n)  =  {(r, i) :  |r|  =  nc,  x  £  Ln,  and  3w,  |to|  <  nc  such  that  Verifier{r,x,w)  =  1} 

and  ( Prover ,  Verifier)  is  a  Bounded  Non-Interactive  Proof  System  for  L  with  constant  c.  Then  x  £  Ln 
iff  (r, x)  £  L'(n)  for  most  nc-bit  strings  r.  Moreover  V  £  N P ,  thus  there  is  a  fixed  polynomial-time 

computable  reduction  R  such  that 

(r,x)  6  L'(n)  <=>  #  =  R(r,x)  £  3 SATn„ 

where  b  >  0  is  a  fixed  constant  depending  only  on  the  reduction  R. 

We  now  describe  a  Bounded  Non-Interactive  ZKPS  (P ,  V)  for  L.  On  input  x  £  Ln  and  the  reference 
string  r  =  ro<T,  where  |r|  =  nc  and  o  has  the  proper  length,  P  constructs  the  formula  9  =  R(r,x)  and, 
if  it  is  3-satisfiable  then  proves  in  bounded  non-interactive  zero  knowledge,  with  input  9  and  a,  that 
indeed  ^  €  3SATnt>.  | 

Theorem  5.4  Under  the  QR.A,  Bounded-NIZK  =  AM2. 


6  Non-interactive  Zero  Knowledge 

We  now  want  to  capture  the  ability  of  giving  non-interactive  and  zero- knowledge  proofs  of  “many” 
theorems,  using  the  same  common  reference  string,  in  an  “on-line  manner”.  That  is,  each  theorem  can 
be  proven  independently  of  all  previous  and  future  theorems. 

We  will  present  our  formal  definition  when  the  theorems  to  be  proven  are  statements  about  3- 

satisfiability. 

Definition  0.1  Let  ( Prover ,  Verifier )  be  a  sender-receiver  pair,  where  Prover( •,  •)  is  random  selecting 
and  Verifier^-,  •,  •)  is  polynomial-time.  We  say  that  {Prover,  Verifier)  is  a  Non-interactive  Zero- Knowledge 
Proof  System  (Non-interactive  ZKPS)  if  the  following  3  conditions  hold. 

1.  Completeness.  V9  £  3 SAT  and  all  n, 

Pr(< 7  4-  {0,1  }n;  Proof  4  Prover{o,9):  Veri fieri, o,  9,  Proof)  =  l)  =  1. 

2.  Soundness.  There  exists  a  constant  c\  >  0  such  that,  for  all  probabilistic  algorithms  Adversary 
outputting  pairs  [9' ,  Proof'),  where  9'  &  3 SAT,  'id  >  0,  and  in  >  c2, 

pr(a  4  {0,l}n;($', Proof')  £  Adversaria):  Verifier{a,9' , Proof)  =  l)  <  n~d. 

3.  Zero- Knowledge.  There  exist  constant  c2  >  0  and  an  efficient  algorithm  5  such  that  i9i,92, ...  £ 
3 SAT,  for  all  efficient  non-uniform  algorithms  D,  id  >  0,  and  all  n  >  c2, 

|Pr(a  £■  VieTP(n,^i,^2,...) :  Dn(s)  =  1)  -  Pr(s  ♦-  5(ln,$i,$2»— )  :  &n(9)  =  1)1  <  n 
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where 


Vtetu(n,$i,$2,...)  =  jcr  &  {0, 1}"; Proof x  £-  Prover{o,$ i); 

Proofs  Prot>er(<7,$2); 

:  (<r,  Proof ! ,  Proof 2,  ...)}• 

A  sender-receiver  pair  ( Prover ,  Verifier)  is  a  Non-Interactive  Proof  System  for  35 AT  if  Completeness  and 
Soundness  hold. 

Discussion.  First,  notice  that  we  have  set  the  probability  of  acceptance  of  true  theorems  to  be  1  since 
3 SAT  €  NP.  Notice  also,  the  generality  of  our  definition  as  it  handles  any  number  of  formulae  of 
arbitrary  size  in  Completeness,  Soundness,  and  Zero-Knowledge.  That  is,  every  true  theorem  can  be 
proven,  no  matter  how  long.  Of  course  longer  theorems  will  have  longer  proofs.  Since  the  verifier  is 
polynomial- time  in  the  length  of  the  common  input,  it  will  have  more  time  to  verify  that  a  longer  formula 
is  3-satisfiable.  Every  false  theorem,  no  matter  how  long,  has  negligible  probability  of  being  “successfully 
proved”;  however,  though  the  length  of  the  proof  grows  with  the  length  of  the  theorem,  “negligible”  is 
defined  only  as  a  function  of  the  length  of  the  reference  string6.  Finally,  every  theorem,  no  matter  how 
long,  possess  a  Zero- Knowledge  proof.  Of  course,  a  longer  theorem  will  have  a  longer  proof  and  thus 
the  polynomial- time  simulator  will  have  longer  time  to  simulate  the  proofs.  The  zero-knowledgeness  of 
the  simulator’s  proofs  only  holds  for  a  non-uniform  “observer”  bounded  by  the  length  of  the  reference 
string.7 

The  definition  of  Non-Interactive  ZKPS  might  be  more  general  if  perfect  completeness  is  relaxed  to 
completeness  as  in  Section  3.  In  this  case  the  adversarial  choosing  algorithm  Choose-in-L  should  be  given 
o  and  access  to  Prover' s  random  selector. 

0.1  The  Sender-Receiver  Pair  (P,V) 

In  this  subsection  we  describe  a  sender-receiver  pair  (P,  V).  P  can  prove  in  zero-knowledge  the  3- 
satisfiability  of  any  number  of  3-satisfiable  formulae  with  n  clauses  each.  Later,  we  shall  show  how  to  use 
the  same  protocol  to  prove  any  number  of  formulae,  each  of  arbitrary  size. 

Before  going  into  a  formal  description  of  the  proof  system,  we  give  an  informal  view  of  the  protocol. 

An  informal  look  at  (P,V). 

Observation:  A  crucial  observation  that  will  be  (implicitly)  proved  in  this  section  is  the  following.  If 
many  certified  auxiliary  pairs  (x,y)  (x  €  BL  and  y  €  NQRX)  are  available,  one  can  use  each  (x,  y)  to 
prove  in  zero-knowledge  that  any  single  formula  $(r,y)  €  3 SAT  with  n  clauses  is  3-satisfiable  using  the 
same  random  string  r.  For  what  we  remarked  in  Section  5,  the  same  r  and  the  same  auxiliary  pair  should 
not  be  used  to  prove  the  3-satisfiability  of  two  different  formulae. 

In  the  light  of  the  above  observation,  we  want  to  construct  a  mechanism  to  achieve  the  following  two 
goals: 

(1)  Associating  to  each  formula  $  an  auxiliary  pair  (x*,y*),  of  “bounded”  size,  so  that,  with  over¬ 
whelming  probability,  different  formulae  are  associated  to  different  pairs. 

(2)  Certifying  ( x*,y *),  i.e.  proving  that  x*  €  BL  and  y*  €  NQRX*. 

“Which  de  facto  is  a  security  parameter. 

7In  particular,  if  a  theorem  and  its  proof  are  exponentially  long  (with  respect  to  the  reference  string)  the  distinguishing 
algorithm  can  compare  the  actual  “view*  and  the  output  of  the  simulator  only  for  a  polynomially  long  prefix. 
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The  first  goal  could  be  achieved  by  using  the  random  selector,  but  the  problem  of  thfe  certification 
remains.  The  current  mechanism  for  certifying  in  Zero- Knowledge  a  single  auxiliary  pair  ( x,y )  using  p 
can  be  extended  to  handle  “a  few”  more  pairs,  but  not  arbitrarily  many.8  Instead,  we  use  a  mechanism 
of  recursive  nature  to  simultaneously  achieve  (1)  and  (2). 

Let  us  first  describe  this  recursive  mechanism  for  a  prover  “with  memory.”  Such  a  prover  can  construct 
and  store  a  binary  tree  of  depth  n.  The  left  child  of  each  node  will  also  be  denoted  as  the  0-child,  and 
the  right  one  as  the  1-child.  Thus  each  node  in  the  tree  is  labeled  with  a  binary  string  of  length  at  most 
n  +  1.  The  root  is  labeled  0,  and  each  other  node  is  labeled  with  the  string  describing  the  unique  path 
from  the  root  to  it.  Thus,  for  instance,  the  left  child  of  the  root  has  label  00,  and  the  rightmost  leaf 
of  the  tree  has  label  01n.  With  each  node  (labeled)  t,  the  prover  stores  a  randomly  selected  auxiliary 
pair  (x;,jk).  The  prover  uses  (z,,yi)  for  certifying  the  auxiliary  pairs  of  the  children  of  node  t,  that  is, 
(xioilhi)-  The  first  auxiliary  pair  (x0,y0)  is  certified  using  string  p  as  in  Section  4.  For  each  »,  the  two 
pairs  (x06i-m,  Jfo6, -6,0)1  (*06, -6ii,  Ifo6,-6,i)i  are  certified  together  as  in  Section  5,  using  the  same  string 
rr  That  is,  consider  the  language  L  =  UnL(n),  where 

L{n )  =  {((u0,t>0),(ui,t>x)) :  «0.“i  €  BL(n),  vo  €  NQ i^0,  vx  €  NQR,,,}. 

Then  L  6  NP.  Thus,  there  exists  a  fixed  polynomial-time  computable  function  CR  such  that 

((uo,vo),(uuvi))  €  L(n)  <=>  #  =  CR(u0,v0,Ui,vx)  6  35i4Tn« 

where  e  is  a  fixed  constant  depending  only  on  the  reduction  CR.  More  precisely,  let  T  be  a  polynomial¬ 
time  Turing  machine  such  that  x  €  L  iff  there  is  a  “witness”  (string)  w  such  that  |u;|  <  |z|e  and 
T(x,w)  —  1.  Then,  the  formula  ¥  is  obtained  by  encoding  the  computation  of  T  as  in  Cook’s  Theorem, 
and  then  reducing  it  to  a  3-satisfiable  formula,  as  Cook  suggested  [Co].  A  well  known  property  of  this 
reduction  is  that  to  each  “witness”  w  one  can  associate  in  polynomial-time  a  satisfying  assignment  for 
tf.  In  our  case  the  witness  consists  of  the  primes  in  the  factorizations  of  u0  and  u,  and  their  proof  of 
primality.  The  proof  (witness)  of  the  primality  of  a  prime  p  is  probabilistically  constructed  in  a  standard 
way:  by  running  algorithm  [AdHu]  on  input  p  flipping  coins  as  needed. 

We  will  thus  certify  (xot, 0,  2fo6,-6io),  (xo6,-&,i,  j/06,  -6,1)  by  showing  that  the  so  constructed 

#06,-6i  =  Cf2((xoi, -6, Oiyo6i-6<o)i(xo6j -6,11^06, -6,l))  G  3 SATn*. 

For  each  #06,-6,,  this  is  done  using  the  proof  system  of  Section  5,  and  the  same  string  r,  which  in  fact 
has  length  2n°,  with  a  =  4e. 

What  have  we  gained  by  this?  Essentially  that  we  have  transformed  the  problem  of  certifying  (x0 6,  -6,0i 
Jfo6j  6,o)i  (*06i -m>  Vo6,-m)  into  the  problem  of  proving  #06,...^  €  3SATn «,  and  we  have  observed 
(but  not  yet  proved)  that  one  can  prove  in  zero  knowledge  arbitrarily  many  theorems  of  size  n  given 
arbitrarily  many,  independent,  certified  pairs  (x,y)’s.  Since  these  pairs  are  randomly  and  independently 
selected,  with  overwhelming  probability,  each  pair  (xos,- 6,,Ito61-s1)  is  used  only  once  with  r,  to  prove 
#06,-6.  e35AT„«. 

In  sum,  this  mechanism  provides  each  formula  $  with  a  certified  auxiliary  pair  (x*,  y*)  that  is  uniquely 
determined  from  $  and  the  reference  string,  though  still  random. 

The  prover  we  just  described  needs  not  to  remember  the  labeled  full  binary  tree;  it  can  in  fact, 
(re)grow  its  branches  as  needed.  It  must,  though,  remember  which  auxiliary  pairs  he  had  associated  with 

"Recail  the  W4y  p  i*  used.  If  pi  €  QR*  »  square  root  of  pi  mod  z  is  given,  if  p,  €  NQRX  s  square  root  of  grp,  mod  x  is 
given.  In  our  simulation,  however,  all  pi  will  be  chosen  in  QRt.  Thus,  if  we  want  to  carry  on  the  simulation  for  many  pairs 
(*<>7i)  we  need  to  construct  a  p  solely  consisting  of  quadratic  residues  modulo  zi.zj,...  which  appears  very  hard  to  do  when 
the  number  of  n ’s  grows  large. 
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the  nodes  of  the  tree.  In  fact,  if  it  does  not  keep  track  of  these  pairs,  it  may  use  the  same*  auxiliary  pair 
and  the  same  reference  string  to  prove  different  theorems,  which  may  not  be  zero-knowledge.  To  avoid 
this,  and  to  avoid  “memory,”  the  prover  uses  the  random  selector  to  associate  a  random  pair  with  the 
node  of  the  tree.  Namely,  on  input  a  formula  $,  the  prover  chooses  n  bits  <^62  •••6n  by  querying  the 
random  selector  with  a  pair  whose  first  entry  is  $  and  the  reference  string  a  =  p  o  r,  o  r2,  and  whose 
second  entry  is  (a  description  of)  the  set  {0,  l}n.  This  way,  if  the  same  formula  is  considered  twice,  the 
same  random  n-bit  string  would  be  selected.  Then  the  prover  computes  a  random,  first  auxiliary  pair 
(x0,  y„)  (again  using  the  random  selector  so  that  it  could  recompute  the  same  pair  any  time  he  wanted  it). 
Then,  for  i  =  0,...,n,  the  auxiliary  pairs  chosen  by  the  random 

selector  on  input  0&i  •••&,()  and  O61  •■•6,1,  respectively.  The  pair  associated  to  $  is  (xobl..,bn,yobi  bn). 

We  now  proceed  more  formally. 


Description  of  (P,V). 

“a  =  4e,  where  e  is  the  constant  of  reduction  CR.  Select  is  P’s  random  selector.  PAIR(n)  is  the  set  of 
pairs  ( x,y )  such  that  x  6  BL(n)  and  y  £  NQRX.” 

Input  to  P  and  V: 

•  A  random  string  <r,  a  =  p  0  r,  o  r,,  where  \p\  —  8 n3,  |r,  |  =  2n“  and  |r2|  =  2n4. 

•  A  formula  $  €  3 SAT  with  n  clauses. 

Instructions  for  P. 

P.l  “Choose  and  certify  the  first  auxiliary  pair.” 

Compute  auxiliary  pair  ( x0,y0 )  =  Select(<r,PAIR(n)). 

Send  ( x0,y0 )  and  run  algorithm  A  of  Section  4  on  input  (x0,y0)  and  p.  “Call  Proof 0  the  output.” 

P.2  “Choose  and  certify  other  auxiliary  pairs.” 

Set  60  =  0.  Compute  and  send  bQbib2  •  •  •  6n  =Select($,  {0, 1}"). 

For  i  =  0, ...,  n  do: 

Set  s  =  60  •  •  •  6,-. 

Compute  and  send  ( z«o,y«o )  =  Select(sO,PAIR(n))  and  (x,i,y,i)  =  Select(sl,PAIR(n)). 
Compute  =  C-R(x,o,y*o,xfi,y,i)  and  t,,  a  satisfying  assignment  for  V,. 

Execute  Prove(’fJ,t„x<,y,,rl).  “Call  Proofs,  the  output.” 

P.3  “Prove  $  €  3 SAT.” 

Set  s  =  60  •  •  •  6n.  Let  be  the  lexicographically  smallest  satisfying  assignment  for  $. 

Execute  Proy«($,tf,x,,y,,r2).  “Call  Proof  $  the  output.” 


Instructions  for  V. 


“V  receives  from  P  the  bits  60,6i, ...,6n,  (xvyfc(j),  (x^  lko<0’ 

(XV  ,i>  V  s»  ,i)’ the  formulae  and  the  strings  Proofs  Proof  *s0 

Proof $.” 


»»_!<>>  \ 

, ...,  Proo/4^  tn, 
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V.l  “Verify  first  auxiliary  pair.” 


Run  algorithm  B  of  Section  4  on  input  p,  (x0,y0),  and  Proof 0. 

If  B  stops  and  rejects,  stop  and  REJECT.  Else, 

V.2  “Verify  other  auxiliary  pairs.” 

For  t  =  0, ...,  n  do: 

Set  s  =  60  ■  •  •  b{. 

Compute  <P4  =  CR(xM,yA >,x4l,y4l). 

If  Check_Prove(<P4,x4,2/4,r1,Pr<>o/'I'4)=REJECT  then  stop  and  REJECT.  Else, 

V.3  “Verify  Proof*.” 

Compute  n  from  por,  or,  and  verify  that  $  has  at  most  n  clauses,  and  each  of  them  has  three 
literals.  If  not,  stop  and  REJECT.  Else, 

Set  s  =  b0  •  •  ■  bn. 

If  CheckJProve($,i4,y4,rJ,Proo/$)=REJECT  then  stop  and  REJECT.  Else  ACCEPT. 

0.2  (P,V)  is  a  Non-Interactive  Proof  System  for  35/4T 

The  Proof  System  (P,V)  of  Section  5  constitutes  the  main  building  block  of  the  just  described  sender- 
receiver  pair  (P,  V).  Therefore,  the  completeness  of  (P,  V)  can  be  easily  derived  from  the  analysis  of 
completeness  in  Section  5.2. 

Let  us  now  focus  our  attention  on  the  soundness.  We  shall  show  that,  if  the  formula  *  is  not  3- 
satisfiable,  then  for  any  Turing  machine  Adversary  (even  a  “cheating”  one  that  chooses  *  after  seeing  the 
reference  string),  V  will  accept  the  proof  provided  by  Adversary  with  sufficiently  low  probability.  The 
proof  closely  follows  the  reasoning  done  in  Section  5.2  to  prove  the  soundness  of  the  proof  system  (P,  V) 
described  in  5.1.  We  distinguish  two  cases: 

1.  For  some  w,  (xw,yw)  $  AfQJl( 2b). 

2.  All  the  pairs  ( xw,yw )  belong  to  NQ7l( 2n)  but  $  £  3 SAT. 

If  (x0 ,  y0 )  £  A/’Q7i(2n),  we  are  in  the  very  same  situation  analyzed  in  case  (a)  in  the  proof  of  soundness  of 
Section  5.2.  By  the  same  reasoning,  we  conclude  that  the  verification  of  step  1  is  passed  with  sufficiently 
low  probability.  Suppose  that  for  w  =  s6,  where  b  £  {0,1},  ( xw,yw )  £  AfQ7Z(2n)  and  (zw,yw)  € 
NQR.{2n).  Then,  *u>  &  3 SAT  and  therefore  the  procedure  Check_Prove  invoked  for  returns  REJECT 
with  sufficiently  high  probability. 

Now,  suppose  that  all  pairs  (xw,  yw)  belong  to  AfQH(2n)  but  *  g  3 SAT.  Since  (x4,y4)  £  AfQK(2n), 
s  =  b0b\  •  •  •  6„,  following  the  reasoning  done  for  cases  (6)  and  (c)  in  the  proof  of  soundness  in  Section  5.2, 
we  conclude  that  verification  step  V.3  is  passed  with  very  low  probability. 

Now,  we  show  that  the  Proof  System  (P,  V)  is  also  Zero-Knowledge  over  3 SAT. 

6.3  The  Simulator 

In  this  section,  we  describe  an  efficient  algorithm  5;  in  the  next  section  we  will  prove  that,  on  input  a 
sequence  of  3-satisfiable  formulae,  S’ s  output  cannot,  under  the  QRA,  be  distinguished  from  V’s  view  by 
any  efficient  non-uniform  algorithm. 
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S’s  Program 

Input:  An  integer  n  >  0.  A  sequence  $i,$2t...  of  3-satisfiable  formulae  with  n  clauses  each. 

0.  Set  Sim  .Output  =  empty  string  and  Tree  =  empty  set. 

1.  “Choose  p'  and  choose  and  certify  first  auxiliary  pair.” 

Randomly  select  two  n-bit  primes  p0,q0  =3  mod  4  and  set  x0  =  p0q0 .  Randomly  select  y'  €  QRXo- 
Execute  procedure  Gen_/?_and_Proof  \(x0,y'0),  thus  obtaining  the  strings  p'  and  Proof0. 

2.  “Choose  r,  and  r2.” 

Randomly  select  two  strings  rx  and  r3  so  that  |r, )  =  2n“  and  |r3|  =  2n4. 

3.  For  each  input  formula  *  do: 

3.1  “Choose  and  certify  other  auxiliary  pairs” 

Set  b0  =  0 and  randomly  select  bx  ■■■ bn .  Append  (x0, yj ),  Proofs  and  b0bi  •  •  •  bn  to Sim.Ouptput. 
For  i  =  0,  ...,n  do: 

Let  s  =  b0b\  ■  ■■ b{ . 

Ifi^  Tree  then 
Add  s  to  Tree. 

Randomly  select  4  n-bit  primes  p*oi<?*OiP»i,9«i  =  3  mod  4. 

Set  =  PaoqM  and  x,i  =  p,\q,\- 
Randomly  select  y'M  €  QRx*  and  y',i  6  QRs.i- 
Compute  *,  =  CR(xM,i/g 0,x,i,yii)- 

Execute  procedure  Gen-Proof2(¥„x„y,„p„q.,rl), thus  obtaining  Proof*',. 

Append  (x«o,  yio)>  (x.uV',i)>  and  Proof*',  to  Sim.Output. 

3.2  “Prove  *  €  3 SAT.” 

Set  a  =  60&!  •••<»„.  Execute  G«nJProof2 (*,x„y'„p„q„T3)  obtaining  Proof*'. 

Append  Proof*'  to  Sim-Output. 

Output:  (p1  o  Tj  o  r2, SimJDutput) 

Lemma  8.1  Algorithm  S  is  efficient. 

Proof:  The  running  time  of  5  is  proportional  to  the  number  of  input  formulae.  For  each  single  input 
formula,  all  operations  can  be  efficiently  computed.  Thus,  S  is  efficient.  (Notice,  again,  that  the  running 
time  is  polynomial  with  respect  to  the  input  size,  though  it  may  be  exponential  in  the  parameter  n.)  I 

The  random  variable  output  by  5  is  certainly  different  from  View  and,  before  proceeding  any  further,  let 
us  compare  them.  In  View  the  string  p  is  truly  random,  while  the  corresponding  string  p'  constructed 
by  5  does  not  contain  any  element  in  NQRXo .  In  V iew,  each  y,  is  a  quadratic  non  residue  modulo  the 
corresponding  x„  whereas  in  5,  y't  is  chosen  among  the  quadratic  residues  modulo  x,.  Because  of  the 
different  quadratic  residuosity  of  the  y/s,  the  two  distributions  differ  also  in  the  ¥,’8  and  in  the  strings 
Proof*,  and  Proof*.  In  fact,  the  formula  is  satisfiable  iff  both  (x^y*)  and  (x,i,y,i)  are  of  the 
prescribed  form.  This  is  certainly  the  case  in  View.  But  in  S,  as  all  y/s  axe  quadratic  residues,  none  of 
the  pairs  (x,,  y,)  is  of  the  prescribed  form  and  therefore  none  of  the  ¥/s  is  satisfiable.  Moreover,  the  y,  s 
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are  also  used  to  compute  the  labeling  of  the  literals  in  the  strings  Proofs a's  and  Proof 9' s  and  thus  in 
5  all  literals  are  labeled  with  quadratic  non  residues. 

In  the  next  section,  we  shall  prove,  using  a  reasoning  similar  to  the  one  in  Section  5.3  that,  despite 
of  the  differences  described  above,  the  two  families  of  random  variables  cannot  be  distinguished  by  any 
efficient  non-uniform  algorithm,  under  the  QRA. 

6.4  (P,V)  is  Zero-Knowledge 

Theorem  6.2  Under  the  QRA,  the  sender-receiver  pair  (P,  V)  of  Section  6.1  is  a  Non-Interactive  ZKPS. 

Proof.  All  that  is  left  to  prove  is  that  (P,  V)  satisfies  the  Zero- Knowledge  condition.  We  do  this  by 
showing  that  the  output  of  algorithm  S  of  the  previous  section  cannot  be  distinguished  from  the  view  of 
the  verifier  V  by  any  efficient  non-uniform  algorithm. 

We  proceed  by  contradiction.  Assume  that  there  exists  a  constant  d  >  0,  an  infinite  subset  I  C  ff, 
a  set  {($" ,$j, . .  .)}nei  of  sequences  of  3-satisfiable  formulae,  where  has  n  clauses,  and  an  efficient 
non-uniform  algorithm  D  =  {D„}nei  such  that  for  all  n  6  Z 

\Pv(n)  -  Ps(n) |  >  n~d, 

where  Pv(n)  =  Pr(s  4  V«ew(*J,*J,...):D„(*)  =  1)  and  Ps(n )  =  Pr{s  4  $5,...): Dn(s)  = 

1). 

Let  R(n)  be  a  polynomial  such  that  the  running  time  and  the  size  of  the  program  of  each  algorithm 
Dn  is  bounded  by  R(n).  Without  loss  of  generality  we  can  consider  R(n)-tuples  of  3-satisfiable  formulae 
instead  of  arbitrary  sequences  of  3-satisfiable  formulae  — 

As  we  nave  seen  in  the  last  section,  a  main  difference  between  S's  output  and  the  view  of  the  verifier  is 
in  the  y/s:  they  are  all  quadratic  residues  modulo  the  corresponding  x/s  in  S' s  output,  while  they  are  all 
quadratic  non  residues  in  View.  We  will  now  describe  an  efficient  non-uniform  algorithm  C  =  {C„}ne j. 
Each  C„  takes  two  input:  j  >  0  and  (x,y)  €  PAIR(n)  =  {(«,»)  :  «  6  BL(n),v  6  /J"1};  and  has 
“wired-in”  the  formulae  ...,$^n)  along  with  their  lexicographically  smallest  satisfying  assignments. 
Roughly  speaking,  C„  produces  as  output  a  “random”  string  and  “proofs”  for  all  formulae  $”’s.  Cn 
selects  the  input  pair  (x,y)  as  the  y'-th  auxiliary  pair.  All  prior  pairs  are  selected  as  simulator  5  does 
and  all  subsequent  pairs  as  prover  P  does.  Thus,  Cn  “knows”  the  factorization  of  the  Blum  modulus  for 
all  auxiliary  pairs  except  (x,y).  None-the-less,  algorithm  Cn  will  use  (x,y)  as  5  would  if  y  €  QRX,  and 
as  P  would  if  y  €  NQRX.  More  formally,  Cn  is  designed  so  to  enjoy  the  following  properties.  Set 

Space(n,j,QR )  =  {x  4  BL(n);  y  4  QRX ;  s  4  C„(y,x,y)  :  s) 

Space(n,j,  NQR)  =  {x  4  BL{n)-,  y  4  NQRX\  s  4  Cn(j,x,y)  :  s}. 

Then, 

Property  (1)  Space(n,Q, NQR)  = 

Property  (2)  Space(n,nR(n)  +  1  ,QR)  =  {a  4  S( ln,$?,...,$£(n)) :  a} 

Property  (3)  Space(n,j,QR)  =  Space(n,j  +  l, NQR) 

From  these  properties  we  will  conclude  that  the  existence  of  D  violates  the  QRA.  We  now  formally 
describe  the  algorithm,  and  then  prove  all  the  stated  properties. 

The  Algorithm  Cn 

“Cn  has  “wired-in”  the  l?(n)-tuple  ($"> —>$*(„))  and,  for  each  $  €  {$">■••>$]!?(„)}»  lexicographically 
smallest  satisfying  assignment  t*.” 

Input:  An  integer  j  €  [0,n.R(n)  +  1].  A  pair  (x,y)  €  PAlR(n ).” 
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1.  “Choose  p  and  choose  and  certify  first  auxiliary  pair.” 

If  j  =  0  then  set  x0  =  x  and  y0  =  y. 

Else  randomly  select  2  n-bit  primes  p0,q0  =3  mod  4,  set  x0  =  pQq0,  and  select  y0  £  QRx0- 
Execute  procedure  Gen-p.and_Proof  l(x0,y0),  thus  obtaining  p  and  Proof0. 

2.  “Choose  other  auxiliary  pairs.” 

“ Tree  contains  the  indices  of  auxiliary  pairs  that  are  used  to  certify  two  others  auxiliary  pairs. 
Count  contains  the  number  of  all  selected  auxiliary  pairs.” 

Set  Tree  =  empty  set  and  Count  =  1. 

For  each  formula  $  €  {$j , ...,  $fl(n)}  do: 

Set  6*  =  0  and  randomly  select  n  bits  6f , •  •  •  ,b*. 

For  *  =  0,  ...,n  do: 

Set  a  =  b*  ■  •  •  bf 
If  s  ^  Tree  then 

Add  s  to  Tree.  Randomly  select  4  n-bit  primes  P(0>9<o?P«ii9«i  =  3  mod  4. 

“Choose  0-child.” 

If  Count  =  j  then  set  xM  =  x,  =  y. 

If  Count  <  j  then  set  =  p,o9*o  and  randomly  select  yM  £  QRx 

If  Count  >  j  then  set  xM  =  p*>9»o  and  randomly  select  yM  £  NQRx^. 

Count  =  Count  -f-  1 
“Choose  1-child.” 

If  Count  =  j  then  set  x,i  =  x,  yti  =  y. 

If  Count  <  j  then  set  xt\  =  p,\q»\  and  randomly  select  ytl  £  QRx,t. 

If  Count  >  j  then  set  x,i  =  pfi9»i  and  randomly  select  yti  £  NQRXtl. 

Count  =  Count  +  1 

3.  “Choose  r,  and  r3.” 

Let  w  be  the  index  of  (x,y),  that  is  (zw,yw)  =  (x,y).  If  there  is  no  such  w,  set  w  =  empty  string.9 
If  w  £  T  ree  then 

Compute  9W  =  CR{xviQ,yw o,Xwi,ytoi)  and  a  satisfying  assignment  tw  for  9W. 

Execute  procedure  Sample_r_and_Proof2(4,w,fu,,xu,,yw)  obtaining  r,  and  Proof  9  w. 

Randomly  select  a  2n4-bit  string  r3 . 

Else,  if  w  =  b*  •••6®,  for  9  £  {$", ...,*?*(„)}>  then 

Execute  procedure  Sampl«_r-and_Proof2($,t*,x,y)  obtaining  r3  and  Proof 9. 

Randomly  select  a  2n“-bit  string  r,. 

Else,  randomly  select  a  2n°-bit  string  r,  and  a  2n4-bit  string  r3. 

®It  may  happen  that  less  than  j  (different)  auxiliary  pain  will  be  chosen.  To  give  an  extreme  example,  it  may  happen 
that,  for  all  the  bits  b*  ■  ■ -b%  are  always  the  same. 
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4.  “Choose  proofs  with  respect  to  r,  and  T2.” 

Set  PROOF-  empty  string  and  Tree  =  {u>}. 

For  each  formula  ®  €  {$”>■••>$£(„)}  do: 

4.1  “Certify  auxiliary  pairs.” 

Append  (x0,y0),  Proof 0,  and  b*  •••&*  to  PROOF. 

For  t  =  0,  ...,n  do: 

Set  s  =  b*---bf. 

If  s  £  Tree  then 
Add  s  to  T ree. 

If  y»  €  NQRX t  then 

Compute  =  CR{xto,y,o,xa\,yti)  and  a  satisfying  assignment  t,  for 
Execute  procedure  PTOva(®,,t,,xa,ya,Ti)  obtaining  Proof®  a. 

If  y»  €  QRX,  then  execute  Gen_Proof2('H*,x4,y4,p„g„r1 )  obtaining  Proof'll,. 
Append  (x,o,y»o),  (*.i,y.i),  and  Proof V ,  to  PROOF. 

4.2  “Prove 

Set  s  =  b*  ■  --b*. 

If  s  ±  w  then 

If  ya  €  NQRXt  then  execute  procedure  Prove($,t*,x4, y„r2)  obtaining  Proof®. 

If  ya  €  QRX.  then  execute  GenJ*roof2 (®,x„y„p„qa,T2)  obtaining  Proof®. 

Append  Proof®  to  PROOF. 

Output:(p  o  r,  o  r2,  PROOF). 

First  notice  that  { Cn}nti  is  an  efficient  non-uniform  algorithm.  All  x,’s  (but  the  j- th)  are  selected 
along  with  their  prime  factors  and  thus  all  related  computations  can  be  performed  in  expected  polynomial- 
time.  All  operations  concerning  x  and  y  are  simple  multiplications  and  testing  of  membership  in  J*1 . 
The  size  of  the  set  Tree  is  never  bigger  than  nR(n),  and  thus  membership  and  add  operations  are  easily 
performed. 

The  strings  r,  and  r,  constructed  by  C„  are  random.  Indeed,  either  they  are  randomly  selected  or 
they  are  generated  by  Sanple.r  Jroof2.  The  analysis  in  Section  5.4  shows  that  in  the  latter  case  the 
resulting  string  r  is  random. 

Proof  of  Property  (1).  Assume  j  =  0  and  y  €  NQRX-.  All  y#’s  are  quadratic  non  residues  in  Cn's  output. 
(x,y)  is  set  equal  to  (x0,y0)  and  used  twice:  at  step  1  to  produce  p  and  Proofs,  and  at  step  3  to  construct 
Proof® 0.  Both  the  strings  Proofs  and  Proof® 0  have  the  same  probability  of  being  chosen  as  in  View 
when  the  first  pair  is  (x0,y0).  From  Lemma  5.1,  each  string  p  is  equally  likely  to  be  constructed  at  step 
1.  Thus,  Space(n,Q,  NQR)  =  Vt'eu;(n,$i ,  •••,  $/*(„))• 

Proof  of  Property  (2).  Suppose  j  =  nR(n)  +  1.  To  prove  R(n)  formulae,  at  most  nR(n)  auxiliary  pairs 
are  needed.  Thus,  each  y ,  constructed  by  C„  belongs  to  QRX.-  All  the  strings  Proof®,' s  and  Proof®' s 
are  constructed  in  exactly  the  same  way  both  by  5  and  by  Cn •  Hence,  Space{n,nR(n )  +  1  ,QR)  =  {s  £ 
. ♦«,„))  =  ') 

Proof  of  Property  (3).  Consider  now  the  two  probability  spaces  Space(n,j ,  QR)  and  Space(n,j  + 1,  NQR). 
In  both  spaces  the  auxiliary  pairs  are  randomly  chosen  so  that  the  first  j  y,'s  are  quadratic  residues 
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modulo  the  corresponding  x/s  and,  from  the  ( j  +  l)-st  on,  all  the  y,’s  are  quadratic  non  residues.  All 
computations  concerning  pairs  (x,,y#)  different  from  ( x,y )  are  performed  in  the  same  way.  The  pair 
(x,y)  is  used  to  construct  either  a  proof  Proofs,  for  a  formula  V,  derived  from  a  reductior.  or  a  proof 
Proofs  for  one  of  the  formulae  or  is  never  used.  In  the  former  two  cases  the  proof  is  generated 
using  the  procedure  Sample_r_and.Proof2.  When  y  G  NQRX  (y  €  QRX),  this  procedure  returns  a  string 
Proof  that  has  the  same  distribution  as  if  it  where  generated  by  the  procedure  Prove  (GenJProof2). 
Thus,  Space(n,j,QR)  =  Space(n,j  +  1  ,NQR). 

We  now  conclude  the  proof  of  Theorem  6.2.  We  have  assumed  that  D  distinguishes  between  5(1",  , ..., 

$jj(n))’s  output  and  Vietn(n,$",  •••, $£(„))•  From  properties  (1)  and  (2)  then  this  is  tantamount  to  say 
that  D  distinguishes  between  Space(n,0,NQR)  and  Space(n,  nR(n)  +  1,QR).  By  the  pigeon  principle, 
and  because  of  Property  (3),  for  all  n  €  2  3  j  —  j(n),  0  <  j  <  nR(n)  +  1,  such  that  D  distinguishes 
between  Space(n,j,QR)  and  Space(n,j,NQR).  That  is,  for  all  n  6  1 , 

I Pj(n,QR)  -  Pj{n,NQR) |  >  l/((nP(n)  +  2)nd) 

where  P}(n,QR)  —  Pr(s  A  Space(n,j,QR)  :  Dn(s)  =  1)  and  Pj(n,NQR)  =  Pr(s  Space(n,j,NQR)  : 
Dn(s)  =  1).  Thus,  composing  each  Cn(j(n),  •,  •)  with  Dn  one  obtains  an  efficient  non-uniform  algorithm 
that  violates  the  QRA.  | 

6.5  Proving  theorems  of  arbitrary  size 

Given  a  reference  string  of  8n3  +  2n°  +  2nA  bit,  the  proof  system  (P,  V)  of  Section  6.1  can  be  used  to 
prove  in  zero-knowledge  the  3-satisfiability  of  an  arbitrary  number  of  3-satisfiable  formulae,  but  each  of 
them  must  have  at  most  n  clauses. 

Now,  we  show  how  to  use  the  same  proof  system  to  prove  3-satisfiable  formulae  with  any  number  of 
clauses.  Given  a  formula  $  with  k  clauses,  the  prover  computes  a  certified  auxiliary  pair  (z*,  y*)  and  the 
lexicographically  smallest  satisfying  assignment  t  for  $.  To  label  each  literal  uj  of  $  the  prover  randomly 
selects  7-j  e  Z**  and,  if  t(u,)  =  1  he  associates  to  xij  the  label  Wj  =  r~jy*  mod  x*,  otherwise  the  label 
Wj  =  rj  mod  x*.  The  label  associated  to  Uj  is  tUjy^mod  x*.  Essentially,  a  literal  has  an  element  in 
NQRX *  as  label  iff  it  is  made  true  by  t.  To  prove  that  $  €  3 SAT,  the  prover  proves  that  each  clause 
has  at  least  an  element  of  NQRX *  among  the  labels  of  its  three  literals.  That  is,  consider  the  language 
L  =  {(yi,j/2,  J/3, x):  at  least  one  of  yi ,yi,ys  belongs  to  NQRX}.  Then  L  €  NP  and  therefore  there  exists 
a  fixed  polynomial-time  computable  reduction  RED  such  that 

=  RED(yuyi,y3,x)  €  3SATn,  <=>  (yi,yj,y3,x)  G  Z-, 

where  /  is  a  fixed  constant  depending  only  on  RED.  Therefore  to  prove  that  the  »-th  clause  is  satisfied, 
the  prover  computes  the  formula  using  the  reduction  RED  and  proves  that  G  3 SAT.  By  the 
property  of  the  reduction  the  length  of  the  formula  is  upper  bounded  by  and  can  thus  be  proved  3- 
satisfiable  using  the  previously  described  proof  system  (P,  V)  with  a  reference  string  of  8n3^  +  2 n‘1  +  2 
bits.  Therefore,  we  have  reduced  the  problem  of  proving  the  3-satisfiability  of  one  formula  with  many 
clauses  to  that  of  proving  the  3-satisfiability  of  many  formulae  each  with  at  most  clauses. 

6.6  Efficient  Provers 

In  the  proof  system  of  subsection  6.1,  for  convenience  of  presentation,  the  prover  P  was  made  quite 
powerful.  For  instance,  P  needs  to  find  the  lexicographically  first  satisfying  assignment  of  a  formula 
for  proving  that  it  is  in  3SAT.  This,  however,  is  not  necessary.  It  is  easily  seen  that,  under  the  QRA. 
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the  verifier  would  obtain  an  indistinguishable  view  [GoMiRa],  no  matter  which  satisfying  assignment 
the  prover  may  use.  Also,  it  is  possible  for  the  prover  to  have  access  to  a  random  oracle  instead  of  a 
random  selector  and  still  generate  essentially  the  same  view  to  a  polynomial- time  verifier.  In  fact,  by 
well  known  techniques,  a  random  oracle  can  be  transformed  to  a  random  function  associating  to  each 
string  a  a  “polynomially  longer”  random  string.  This  random  string  may  be  used  to  select  the  necessary 
primes  and  quadratic  residues  and  non-residues  with  essentially  the  same  odds  as  for  a  random  selector. 
Actually,  if  one  replaces  a  random  oracle  with  a  poly-random  function  as  in  Goldreich,  Goldwasser,  and 
Micali  [GoGoMi],  the  view  of  the  verifier  would  still  be  undistinguishable  from  the  one  it  obtains  from  P. 
These  functions  exist  under  the  QRA10  and  the  replacement  only  entails  that  the  same,  short,  randomly 
selected  string  should  be  remembered  throuout  the  proving  process. 

In  sum,  the  prover  may  very  well  be  polynomial- time,  as  long  as  it  is  given  satisfying  assignments  for 
the  formulae  that  need  to  be  proved  satisfiable  in  non-interactive  Zero  Knowledge. 

7  Related  Work  Improvements 

We  had  posed  two  main  open  problems  : 

1.  whether  many  provers  could  share  the  same  random  string11  and 

2.  whether  it  is  possible  to  implement  non-interactive  zero- knowledge  with  a  general  complexoty  as¬ 
sumption,  rather  than  our  specific  number  theoretic  one. 

Recently,  both  our  questions  have  been  solved  in  a  beautiful  paper  by  by  Feige,  Lapidot,  and  Shamir 
[FeSh].  They  show  that  any  number  of  provers  can  share  the  same  random  string  and  that  any  trap-door 
permutation  can  be  used  instead  of  quadratic  residuosity.  They  also  show  that  one-way  permutation  are 
sufficient  for  Bounded  non-interactive  zero  knowledge,  but  the  prover  needs  to  have  exponential  computing 
power.  Our  first  question  alone  was  also  independently  solved  by  De  Santis  and  Yung  [DeYu]. 

Non-interactive  zero-knowledge  has  been  shown  to  yield  a  new  paradigm  for  digital  signature  schemes 
by  Bellare  and  Goldwasser  [BeGoj. 

De  Santis,  Micali,  and  Persiano  [DeMiPe2]  show  that,  if  any  one-way  function  exists,  after  an  inter¬ 
active  preprocessing  stage,  any  “sufficiently  short”  theorem  can  be  proven  non-interactively  and  in  zero 
knowledge.  A  simpler  method  can  be  found  in  [FeSh]. 

Kilian,  Micali,  and  Ostrovsky  [KiMiOs]  have  shown  that,  if  any  one-way  function  exists,  after  a 
preprocessing  stage  consisting  of  a  “few”  executions  of  an  oblivious  transfer  protocol,  any  theorem  can 
be  proven  in  zero  knowledge  and  non-interactively.  (Namely,  after  executing  0(k)  oblivious  transfers, 
the  probability  of  accepting  a  false  theorem  is  1  in  2k.)  Bellare  and  Micali  [BeMi]  show  that,  based  on 
a  complexity  assumption,  it  is  possible  to  build  public-key  cryptosystems  in  which  oblivious  transfer  is 
itself  implementable  without  any  interaction. 

8  An  Important  Open  Problem 

Introducing  new  cryptographic  primitives  is  crucial,  but  would  be  essentially  impossible  without  first  re¬ 
lying  on  some  special,  though  hopefully  well  studied,  complexity  assumptions.  It  is  as  important,  though, 

10In  fact  Blum,  Blum,  Shub  [BlBlShj  show  that  the  QRA  implies  the  existence  of  a  poly-random  generator  in  the  sense 
of  Blum  and  Micali  [BIMi]  and  Yao  [Ya],  and  (GoGoMi]  show  that  any  poly-random  generator  can  be  used  to  construct  a 
poly-random  function 

"Indeed,  if  this  was  done  in  our  protocol,  completeness  and  soundness  would  still  hold.  However  it  is  not  clear  whether 
iero- know  ledge  would  be  preserved.  Without  changing  our  proof  systems,  we  can  handle  only  a  moderate  number  of  provers. 
This  number  is  limited  for  the  same  reasons  outlined  in  footnote  6. 
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later  finding  the  minimal  assumptions  for  implementing  these  primitives.  In  fact,  “extra  structure”  may 
make  easier  proving  that  the  desired  property  holds,  but  may  also  force  the  underlying  complexity  as¬ 
sumption  to  be  false.  Personally,  the  third  author  finds  a  dramatic  difference  between  one-way  functions 
and  one-way  permutations.  (Breaking  a  glass  is  quite  easy.  Putting  it  back  together  is  certainly  harder, 
but  what  if  we  were  guaranteed  that  there  is  a  unique  way  to  do  so?) 

We  believe  non-interactive  zero  knowledge  to  be  a  fundamental  primitive,  one  deserving  the  effort  to 
establish  what  are  the  minimal  complexity  assumptions  needed  for  it  to  be  securely  implemented.  We 
thus  hope  the  following  question  will  be  settled: 


If  one-way  functions  exist,  does  3SAT  have  non- iter  active  zero-knowledge  proof  systems 
whose  prover,  given  the  proper  witness,  needs  only  to  work  in  polynomial  time? 
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